b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n Information Technology Management Letter for \n\n  the Federal Emergency Management Agency \n\n Component of the FY 2009 DHS Integrated Audit \n\n\n\n\n\nOIG-10-92                                May 2010\n\x0c                                                            Office of Inspector General\n\n                                                            U.S. Department of Homeland Security\n                                                            Washington, DC 25028\n\n\n\n\n                                         May 28, 2010\n\n                                             Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was established\nby the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, and special reports prepared as\npart of our oversight responsibilities to promote economy, efficiency, and effectiveness within\nthe department.\n\nThis report presents the information technology (IT) management letter for the Federal\nEmergency Management Agency component of the FY 2009 DHS financial statement audit as of\nSeptember 30, 2009. It contains observations and recommendations related to information\ntechnology internal control that were summarized in the Independent Auditors Report dated\nNovember 13, 2009 and presents the separate restricted distribution report mentioned in that\nreport. The independent accounting firm KPMG LLP (KPMG) performed the audit procedures\nat FEMA in support of the DHS FY 2009 financial statements and prepared this IT management\nletter. KPMG is responsible for the attached IT management letter dated March 5, 2010, and the\nconclusions expressed in it. We do not express opinions on DHS\xe2\x80\x99 financial statements or\ninternal control or conclusion on compliance with laws and regulations.\n\nThe recommendations herein have been developed to the best knowledge available to our office,\nand have been discussed in draft with those responsible for implementation. We trust that this\nreport will result in more effective, efficient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                     Frank Deffer\n                                     Assistant Inspector General\n                                     Information Technology Audits\n\x0c                                KPMG LLP\n                                2001 M Street, NW\n                                Washington, DC 20036\n\n\n\n\nMarch 5, 2010\n\n\nInspector General\nU.S. Department of Homeland Security\nChief Information Officer\nFederal Emergency Management Agency\nChief Financial Officer\nFederal Emergency Management Agency\n\n\nLadies and Gentlemen:\n\nWe were engaged to audit the balance sheet of the U.S. Department of Homeland Security (DHS or\nDepartment) as of September 30, 2009 and the related statement of custodial activity for the year then\nended (referred to herein as \xe2\x80\x9cfinancial statements\xe2\x80\x9d). We were also engaged to examine the\nDepartment\xe2\x80\x99s internal control over financial reporting (ICOFR) of the balance sheet as of September 30,\n2009, and statement of custodial activity for the year then ended. We were not engaged to audit the\nstatements of net cost, changes in net position, and budgetary resources, for the year ended September\n30, 2009 (referred to herein as \xe2\x80\x9cother fiscal year [FY] 2009 financial statements\xe2\x80\x9d), or to examine ICOFR\nover the other FY 2009 financial statements. Because of matters discussed in our Independent Auditors\xe2\x80\x99\nReport, dated November 13, 2009, the scope of our work was not sufficient to enable us to express, and\nwe did not express, an opinion on the financial statements. In addition, we were unable to perform\nprocedures necessary to form an opinion on DHS\xe2\x80\x99 ICOFR of the FY 2009 balance sheet and statement\nof custodial activity.\n\nIn connection with our FY 2009 engagement, we examined the Federal Emergency Management\nAgency\xe2\x80\x99s (FEMA) internal control over financial reporting by obtaining an understanding of FEMA\xe2\x80\x99s\ninternal control, determining whether internal controls had been placed in operation, assessing control\nrisk, and performing tests of controls. As noted above, the scope of our work was not sufficient to\nenable us to express, and we did not express, an opinion on the effectiveness of ICOFR. Further, other\nmatters involving ICOFR may have been identified and reported had we been able to perform all\nprocedures necessary to express an opinion on the DHS balance sheet as of September 30, 2009, and the\nrelated statement of custodial activity for the year then ended, and had we been engaged to audit the\nother FY 2009 financial statements.\n\nA control deficiency exists when the design or operation of a control does not allow management or\nemployees, in the normal course of performing their assigned functions, to prevent or detect and correct\nmisstatements on a timely basis. A significant deficiency is a deficiency, or a combination of\ndeficiencies, in internal control over financial reporting that is less severe than a material weakness, yet\nimportant enough to merit attention by those charged with governance. A material weakness is a\ndeficiency, or a combination of deficiencies, in internal control over financial reporting, such that there\nis a reasonable possibility that a material misstatement of the entity\xe2\x80\x99s financial statements will not be\nprevented, or detected and corrected on a timely basis.\n\n\n\n\n                                    KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                    member firm of KPMG International, a Swiss cooperative.\n\x0cDuring our audit engagement, we noted certain matters in the areas of security management, access\ncontrols, configuration management, and contingency planning with respect to FEMA\xe2\x80\x99s financial systems\ninformation technology (IT) general controls which we believe contribute to a DHS-level significant\ndeficiency that is considered a material weakness in IT controls and financial system functionality. These\nmatters are described in the IT General Control and Financial System Functionality Findings by Audit\nArea section of this letter.\nThe material weakness described above is presented in our Independent Auditors\xe2\x80\x99 Report, dated\nNovember 13, 2009. This letter represents the separate restricted distribution report mentioned in that\nreport.\nAlthough not considered to be a material weakness, we also noted certain other items during our audit\nengagement which we would like to bring to your attention. These matters are also described in the IT\nGeneral Control and Financial System Functionality Findings by Audit Area section of this letter.\nThe material weakness and other comments described herein have been discussed with the appropriate\nmembers of management, or communicated through a Notice of Finding and Recommendation (NFR),\nand are intended. We aim to use our knowledge of DHS\xe2\x80\x99 organization gained during our audit\nengagement to make comments and suggestions that we hope will be useful to you. We have not\nconsidered internal control since the date of our Independent Auditors\xe2\x80\x99 Report.\nThe Table of Contents on the next page identifies each section of the letter. In addition, we have provided\nthe following: a description of key FEMA financial systems and IT infrastructure within the scope of the\nFY 2009 DHS financial statement audit engagement in Appendix A; a description of each control\ndeficiency in Appendix B; and the current status of the prior year NFRs in Appendix C. Our comments\nrelated to financial management and reporting internal controls have been presented in a separate letter to\nthe Office of Inspector General and the DHS Acting Chief Financial Officer dated December 09, 2009.\n\nThis report is intended solely for the information and use of DHS management, DHS Office of Inspector\nGeneral, the Office of Management and Budget, U.S. Government Accountability Office, and the U.S.\nCongress, and is not intended to be and should not be used by anyone other than these specified parties.\n\nVery truly yours,\n\x0c                             Department of Homeland Security\n \n\n                         Federal Emergency Management Agency \n\n                         Information Technology Management Letter\n                                    September 30, 2009\n\n                                  TABLE OF CONTENTS\n\n                                                                                    Page\n\n\nObjective, Scope and Approach                                                        1\n\n\nSummary of Findings and Recommendations                                              3\n\n\nIT General Control and Financial System Functionality Findings by Audit Area         4\n\n\n  Findings Contributing to a Material Weakness in IT at the Department Level         4\n\n\n       Security Management                                                           4\n \n\n\n       Access Controls                                                               4\n \n\n\n       Configuration Management                                                      5\n\n\n       Contingency Planning                                                          6\n\n\n   Other Findings in IT General Controls                                             8\n \n\n\n       Security Management                                                           8\n \n\n\n       Access Controls                                                               9\n \n\n\n       Configuration Management                                                      9\n \n\n\n       Segregation of Duties                                                         10\n \n\n\n       Contingency Planning                                                          10\n \n\n\n   After-hours Physical Security Testing                                             13\n \n\n\n   Causes/Effects for IT General Control Findings                                    14 \n\n\n   Criteria for IT General Controls Findings                                         15 \n\n                                                                                     16\n\nApplication Control Findings \n\n                                                                                     16\n\nManagement\xe2\x80\x99s Comments and OIG Response\n\n                                       APPENDICES\n\n    Appendix                                    Subject                             Page\n\n                    Description of Key Federal Emergency Management Agency\n \n\n                    Financial Systems and Information Technology Infrastructure \n\n        A                                                                            17\n                    within the Scope of the FY 2009 Department of Homeland\n                    Security Integrated Audit Engagement\n\x0c           Department of Homeland Security\n       Federal Emergency Management Agency\n       Information Technology Management Letter\n                  September 30, 2009\n\n\n    FY 2009 Notices of Information Technology Findings and\n    Recommendations at the Federal Emergency Management\nB                                                                  19\n    Agency\n\n    -Notice of Findings and Recommendations \xe2\x80\x93 Definition of\n                                                                   20\n     Severity Ratings\n\n    Status of Prior Year Notices of Findings and Recommendations\nC   (NFR) and Comparison to Current Year NFRs at the Federal       62\n    Emergency Management Agency\n\nD   Management\xe2\x80\x99s Comments and OIG Response                         69\n\n\nE   Report Distributions                                           70\n\x0c                                 Department of Homeland Security\n \n\n                             Federal Emergency Management Agency \n\n                             Information Technology Management Letter\n                                        September 30, 2009\n\n\n                        OBJECTIVE, SCOPE AND APPROACH\n\nDuring our engagement to perform an integrated audit of Department of Homeland Security (DHS or the\nDepartment), we evaluated the effectiveness of information technology (IT) general controls of DHS\xe2\x80\x99\nfinancial processing environment and related IT infrastructure as necessary to support the engagement.\nThe Federal Information System Controls Audit Manual (FISCAM), issued by the Government\nAccountability Office (GAO), formed the basis of our audit procedures as they relate to our IT general\ncontrol assessment at the Federal Emergency Management Agency (FEMA). The scope of the FEMA IT\ngeneral controls assessment is described in Appendix A.\n\nFISCAM was designed to inform financial auditors about IT controls and related audit concerns to assist\nthem in planning their audit work and to integrate the work of auditors with other aspects of the financial\nstatement audit. FISCAM also provides guidance to IT auditors when considering the scope and extent of\nreview that generally should be performed when evaluating general controls and the IT environment of a\nfederal agency. FISCAM defines the following five control functions to be essential to the effective\noperation of the IT general controls environment.\n\n\xef\xbf\xbd\t Security Management (SM) \xe2\x80\x93 Controls that provide a framework and continuing cycle of activity for\n   managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy\n   of computer-related security controls.\n\xef\xbf\xbd\t Access Control (AC) \xe2\x80\x93 Controls that limit and/or monitor access to computer resources (data,\n   programs, equipment, and facilities) to protect against unauthorized modification, loss, and disclosure.\n\xef\xbf\xbd\t Configuration Management (CM) \xe2\x80\x93 Controls that help to prevent the implementation of unauthorized\n   programs or modifications to existing programs.\n\xef\xbf\xbd\t Segregation of Duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to prevent one individual from controlling key aspects of computer-related operations, thus\n   deterring unauthorized actions or access to assets or records.\n\xef\xbf\xbd\t Contingency Planning (CP) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n   without interruption, or with prompt resumption, when unexpected events occur.\n\nTo complement our IT general controls audit procedures, we also performed technical security testing\nfor key network and system devices. The technical security testing was performed from within a select\nFEMA facility, and focused on test, development, and production devices that directly support FEMA\xe2\x80\x99s\nfinancial processing and key general support systems. Limited social engineering and after-hours\nphysical security testing was also included in the scope of technical security testing.\n\nIn addition to testing FEMA\xe2\x80\x99s IT general control environment, we performed testing of automated\napplication controls on a limited number of FEMA\xe2\x80\x99s financial systems and applications. The application\ncontrol testing was performed to assess the controls that support the financial systems\xe2\x80\x99 internal controls\nover the input, processing, and output of financial data and transactions.\n\n\n\n\n                                                    1\n     Information Technology Management Letter for FEMA Component of the FY 2009 DHS \n\n                                    Integrated Audit\n \n\n\x0c                                 Department of Homeland Security\n \n\n                             Federal Emergency Management Agency \n\n                             Information Technology Management Letter \n\n                                        September 30, 2009\n\n\n\xef\xbf\xbd\t Application controls - Application controls are the structure, policies, and procedures that apply to\n   separate, individual application systems, such as accounts payable, inventory, payroll, grants, or\n   loans.\n\n\n\n\n                                                     2\n     Information Technology Management Letter for FEMA Component of the FY 2009 DHS \n\n                                    Integrated Audit\n \n\n\x0c                                 Department of Homeland Security\n \n\n                             Federal Emergency Management Agency \n\n                             Information Technology Management Letter\n                                        September 30, 2009\n\n\n            SUMMARY OF FINDINGS AND RECOMMENDATIONS\nDuring FY 2009, FEMA took corrective action to address certain prior year IT control weaknesses. For\nexample, FEMA made improvements by finalizing and executing agreements for interconnections with\nexternal Federal agencies, developed and implemented financial system backup procedures, made\nincremental progress in improving processes for recertifying financial application user accounts, and\nimproved the process for retaining National Flood Insurance Program (NFIP) change control\ndocumentation. However, during FY 2009, we continued to identify IT general control deficiencies at\nFEMA. The most significant deficiencies from a financial statement audit perspective related to controls\nover security management, access to programs and data, program changes, and contingency planning.\nCollectively, the identified IT control weaknesses limited FEMA\xe2\x80\x99s ability to ensure that critical financial\nand operational data were maintained in such a manner to ensure confidentiality, integrity, and\navailability. In addition, these deficiencies negatively impacted internal control over FEMA\xe2\x80\x99s financial\nreporting and its operation, and we consider them to collectively represent a material weakness for FEMA\nunder standards established by the American Institute of Certified Public Accountants (AICPA). In\naddition, based upon the results of our test work, we noted that the FEMA did not fully comply with the\nDepartment\xe2\x80\x99s requirements under the Federal Financial Management Improvement Act of 1996 (FFMIA).\nOf the 58 findings identified during our FY 2009 testing, 22 were repeat findings, either partially or in\nwhole from the prior year, and 36 were new IT findings. These findings represent deficiencies in each of\nthe five FISCAM control areas. We also considered the effects of financial systems functionality when\ntesting internal controls since key FEMA financial systems are not compliant with FFMIA and are no\nlonger supported by the original software provider. Financial system functionality limitations add to the\nchallenge of addressing systemic control deficiencies and strengthening the control environment at\nFEMA.\nThe majority of findings resulted from the lack of properly designed, detailed, and consistent guidance\nover financial system controls to enforce DHS Sensitive Systems Policy Directive 4300A, Information\nTechnology Security Program, requirements and National Institute of Standards and Technology (NIST)\nguidance. Specifically, the findings stem from: 1) the lack of formal designation of financial system\nsecurity responsibilities, 2) inadequately designed and operating access control policies and procedures\nrelating to the management of access to financial applications and databases and supervisor re\xc2\xad\ncertifications of user access privileges, 3) insufficient logging of system events and monitoring of audit\nlogs, 4) inadequately designed and operating configuration management policies and procedures, 5) patch\nand configuration management control deficiencies within the system, 6) financial systems that were not\nproperly certified and accredited and authorized to operate, and 7) the lack of tested contingency plans.\nThese deficiencies may increase the risk that the confidentiality, integrity, and availability of system\ncontrols and FEMA financial data could be exploited thereby compromising the integrity of financial data\nused by management and reported in the DHS consolidated financial statements.\nWhile the recommendations made by us should be considered by FEMA, it is the ultimate responsibility\nof FEMA to determine the most appropriate method(s) for addressing the deficiencies identified based on\nits system capabilities and available resources.\n\n\n\n\n                                                    3\n     Information Technology Management Letter for FEMA Component of the FY 2009 DHS \n\n                                    Integrated Audit\n \n\n\x0c                                Department of Homeland Security\n \n\n                            Federal Emergency Management Agency \n\n                            Information Technology Management Letter \n\n                                       September 30, 2009\n\n\nIT GENERAL CONTROL AND FINANCIAL SYSTEM FUNCTIONALITY\n                FINDINGS BY AUDIT AREA\nFindings Contributing to a Material Weakness in IT at the Department Level\nConditions: In FY 2009, the following IT general control deficiencies were identified at FEMA and\ncontributed to a DHS-level significant deficiency that is considered a material weakness in IT general\ncontrols.\n1.\t Security Management \xe2\x80\x93 we noted:\n    \xef\xbf\xbd\t The Grants and Training (G&T) Integrated Financial Management Information System (IFMIS)\n       and the Payment and Reporting System (PARS) were not certified and accredited prior to\n       implementation into the production environment in FY 2007 and had been operating without an\n       Authorization to Operate (ATO);\n    \xef\xbf\xbd\t Information System Security Officers (ISSO) and Designated Authorizing Authority (DAA) were\n       not formally designated for G&T IFMIS and PARS;\n    \xef\xbf\xbd\t Vulnerabilities identified during periodic internal scans of the National Emergency Information\n       System (NEMIS) and related corrective actions were not reported and tracked in accordance with\n       DHS policy;\n    \xef\xbf\xbd\t G&T IFMIS and PARS were not included in FEMA\xe2\x80\x99s systems inventory, and neither system was\n       being tracked via the Trusted Agent Federal Information Security Management Act repository;\n       and\n    \xef\xbf\xbd\t The FEMA Switch Network (FSN)-2 certification and accreditation (C&A) package did not\n       include the Maryland (MD) National Processing Service Center (NPSC) local area network\n       (LAN) subsystem on which the primary servers for FEMA financial applications reside, and\n       security roles for the MD NPSC were not formally designated.\n2.\t Access Controls \xe2\x80\x93 we noted:\n    \xef\xbf\xbd\t Password, security patch management, and configuration deficiencies were identified during the\n       vulnerability assessment on hosts supporting the key financial applications and general support\n       systems;\n    \xef\xbf\xbd\t Core IFMIS, G&T IFMIS, NEMIS, and PARS application and/or database accounts, network, and\n       remote user accounts were not periodically reviewed for appropriateness, resulting in\n       inappropriate authorizations and excessive user access privileges. For G&T IFMIS, we\n       determined that recertification of user accounts had not been conducted since the application was\n       implemented at FEMA in FY 2007;\n    \xef\xbf\xbd\t Financial application, network, and remote user accounts were not disabled or removed promptly\n       upon personnel termination;\n    \xef\xbf\xbd\t Initial and modified access granted to Core and G&T IFMIS financial application and/or \n\n       database, network, and remote users was not properly documented and authorized;\n \n\n\n\n\n                                                    4\n     Information Technology Management Letter for FEMA Component of the FY 2009 DHS \n\n                                    Integrated Audit\n \n\n\x0c                                Department of Homeland Security\n \n\n                            Federal Emergency Management Agency \n\n                            Information Technology Management Letter \n\n                                       September 30, 2009\n\n\n   \xef\xbf\xbd\t Documented procedures for auditing NEMIS, Core IFMIS, G&T IFMIS, and PARS databases do\n      not meet DHS requirements. Additionally, for these financial systems, logging of application\n      and/or database events required to be recorded was not enabled, audit logs were not reviewed\n      and/or were reviewed by those with conflicting roles, and evidence of audit log reviews was not\n      retained;\n   \xef\xbf\xbd\t Strong password requirements were not enforced on the NEMIS and PARS databases and the\n      FEMA LAN;\n   \xef\xbf\xbd\t FEMA\xe2\x80\x99s process for authorizing and managing remote virtual private network (VPN) access to\n      external state emergency management agencies and FEMA contractors did not comply with DHS\n      and FEMA requirements. Specifically, existing documentation does not define the requirements\n      for administering the site survey process with external organizations seeking VPN access or\n      identify FEMA roles and responsibilities for managing VPN access granted to external\n      individuals using non-DHS equipment to access the FEMA network;\n   \xef\xbf\xbd\t A DHS Waivers and Exceptions Request Form related to Core IFMIS financial database audit\n      logging deficiencies was approved based on inconsistently or inaccurately described mitigating\n      and compensating security controls over the financial application and database, and controls\n      required as a condition of DHS approval were not implemented;\n   \xef\xbf\xbd\t System administrator root access to one instance of IFMIS was not properly restricted, logged,\n      and monitored; and\n   \xef\xbf\xbd\t Emergency and temporary access to the Core IFMIS, G&T IFMIS, and PARS databases were not\n      properly authorized, and contractor development personnel were granted conflicting access to\n      implement database changes.\n3.\t Configuration Management \xe2\x80\x93 we noted:\n   \xef\xbf\xbd\t The Standard Operating Procedure (SOP) for monitoring sensitive access to NEMIS operating\n      system software was not implemented and did not include all NEMIS operating system servers\n      that are within scope. Additionally, there was no application or tool in place to support the audit\n      logging function on the NEMIS servers;\n   \xef\xbf\xbd\t Implemented emergency and non-emergency changes to NEMIS system software were not\n      consistently documented, tested, approved, controlled, tracked, and retained on file;\n   \xef\xbf\xbd\t G&T IFMIS contracted developers/programmers were granted unrestricted access to the\n      production environment through the \xe2\x80\x9cifmiscm\xe2\x80\x9d account, which is used to deploy changes into\n      production;\n   \xef\xbf\xbd\t A finalized patch management policy that includes the timeframe for installing patches was not\n      implemented for financial systems; and\n   \xef\xbf\xbd\t Access was inappropriately granted to NEMIS developers to allow unrestricted access to both the\n      production and development environments, and code in the NEMIS server directory environment\n      is not locked down to prevent access to the Test and Development Laboratory and production\n      environments after the code is approved for implementation.\n\n\n\n                                                    5\n     Information Technology Management Letter for FEMA Component of the FY 2009 DHS \n\n                                    Integrated Audit\n \n\n\x0c                                  Department of Homeland Security\n \n\n                              Federal Emergency Management Agency \n\n                              Information Technology Management Letter \n\n                                         September 30, 2009\n\n\n4. Contingency Planning \xe2\x80\x93 we noted:\n   \xef\xbf\xbd\t An alternate processing site for NEMIS was not established and implemented. Additionally, the\n      approved DHS waiver was expired, and documented controls for restoring NEMIS servers from\n      backup tapes to compensate for the lack of an alternate processing site were ineffective.\nRecommendations: We recommend that the FEMA Chief Information Officer (CIO), FEMA Chief\nFinancial Officer (CFO), and other relevant FEMA management, in coordination with the DHS CIO and\nActing CFO, make the following improvements to FEMA\xe2\x80\x99s financial management systems and associated\nIT security program:\n1.\t For Security Management:\n   \xef\xbf\xbd\t Certify and accredit G&T IFMIS and PARS in accordance with applicable DHS policies and\n      Federal guidance;\n   \xef\xbf\xbd\t Formally designate ISSOs and DAAs for G&T IFMIS and PARS;\n   \xef\xbf\xbd\t     Develop and implement procedures that outline the process for formally reporting and tracking\n          resolution of weaknesses identified during NEMIS internal vulnerability scans in accordance with\n          DHS guidance;\n   \xef\xbf\xbd\t     Update the FEMA systems inventory to include G&T IFMIS and PARS and consistently adhere\n          to policies and procedures for updating and monitoring the systems inventory to ensure that all\n          new and current systems are accounted for with complete and accurate information, in accordance\n          with NIST and DHS policy; and\n   \xef\xbf\xbd\t Conduct a risk assessment of the MD NPSC LAN that supports FEMA financial systems, and\n      review and revise the FSN-2 C&A package to reflect the current environment and include the\n      MD NPSC LAN. Additionally, formally designate an ISSO and DAA for the MD NPSC.\n2.\t For Access Controls:\n   \xef\xbf\xbd\t Implement the specific vendor-recommended corrective actions detailed in the Notice of Finding\n      and Recommendation (NFR) that was issued for deficiencies identified during our vulnerability\n      assessment;\n   \xef\xbf\xbd\t Fully establish and/or implement user account management recertification processes and require\n      completion of periodic reviews of all user accounts for appropriate access and documentation of\n      current user profiles. The processes should include revocation of accounts that cannot be verified\n      during recertification processes;\n   \xef\xbf\xbd\t Update, as necessary, and consistently implement procedures and processes to ensure that all\n      system accounts, including remote access accounts, of terminated employees and contractors are\n      immediately removed/disabled upon their departure;\n   \xef\xbf\xbd\t Review and revise existing procedures to require authorization of new and modified user accounts\n      by supervisors, program managers, and contracting officers\xe2\x80\x99 technical representatives in\n      accordance with DHS requirements;\n\n\n\n\n                                                     6\n        Information Technology Management Letter for FEMA Component of the FY 2009 DHS \n\n                                       Integrated Audit\n \n\n\x0c                                Department of Homeland Security\n \n\n                            Federal Emergency Management Agency \n\n                            Information Technology Management Letter \n\n                                       September 30, 2009\n\n\n   \xef\xbf\xbd\t Revise and implement detailed procedures requiring the consistent and timely review of Core\n      IFMIS and G&T IFMIS database and financial application logs and the maintenance of\n      documentation supporting such reviews in accordance with DHS requirements;\n   \xef\xbf\xbd\t Configure audit logs for financial databases and applications to ensure that auditable events, as\n      required by DHS policy, are recorded and appropriately reviewed by personnel without\n      conflicting duties;\n   \xef\xbf\xbd\t Configure NEMIS and PARS databases and FEMA LAN accounts to enforce strong password\n      and authenticator control requirements, and ensure that individuals with system/database\n      administration and security responsibilities are aware of and properly trained in DHS, FEMA, and\n      Federal requirements;\n   \xef\xbf\xbd\t Revise and implement policies and procedures for documenting, reviewing, and approving the\n      security controls in place over non-DHS equipment connecting to the FEMA network via VPN\n      access, and ensure that roles, responsibilities, and security requirements for authorizing and\n      managing VPN access for external organizations connecting to the FEMA network are defined\n      and implemented in accordance with DHS and FEMA policy;\n   \xef\xbf\xbd\t Submit a revised DHS Waivers and Exceptions Request Form that accurately reflects the\n      mitigating and compensating controls in place on the Core IFMIS financial application and\n      database that justify exception from DHS audit logging policy. Additionally, ensure that (1)\n      future requests include input from system owners and administrators to help ensure risk\n      mitigation strategies accurately reflect implemented security controls and (2) a more formal\n      process is established for providing and communicating approved waivers and conditions of\n      approval to system owners;\n   \xef\xbf\xbd\t Develop and implement procedures for monitoring IFMIS system administrator and highly-\n      privileged account activities and restricting access to the root account, and ensure that reviews of\n      system logs and records are properly conducted; and\n   \xef\xbf\xbd\t Establish a formal process for granting Core IFMIS, G&T IFMIS, and PARS emergency and\n      temporary database access that includes segregation of duties considerations and appropriate\n      approval from FEMA management.\n3.\t For Configuration Management:\n   \xef\xbf\xbd\t Revise, implement, and ensure adherence to the SOP for monitoring sensitive access to NEMIS\n      operating system software to ensure that the scope of the procedures includes all defined NEMIS\n      servers, and deploy the appropriate tool(s) to support audit logging functions on the NEMIS\n      servers, in accordance with FEMA and DHS policy;\n   \xef\xbf\xbd\t Develop configuration management policies and procedures for NEMIS emergency and non-\n      emergency changes to financial system applications software, and ensure consistent adherence\n      with requirements for approving, testing, documenting, properly controlling and tracking changes,\n      and retaining related documentation;\n   \xef\xbf\xbd\t Limit the contracted developers/programmers\xe2\x80\x99 access to the G&T IFMIS production environment\n      to \xe2\x80\x9cread only,\xe2\x80\x9d and segregate the responsibility for deploying application code changes into\n\n\n                                                    7\n     Information Technology Management Letter for FEMA Component of the FY 2009 DHS \n\n                                    Integrated Audit\n \n\n\x0c                                Department of Homeland Security\n \n\n                            Federal Emergency Management Agency \n\n                            Information Technology Management Letter \n\n                                       September 30, 2009\n\n\n       production from the contractor to an independent control group. If business need does not allow\n       for segregation of these duties, FEMA should document policies and procedures to mitigate the\n       risk associated with the segregation of duties weakness noted in accordance with DHS guidance;\n   \xef\xbf\xbd\t Dedicate the appropriate resources to complete efforts to document, finalize, and implement\n      comprehensive patch management policies and procedures, including requirements for timely\n      implementation of required patches; and\n   \xef\xbf\xbd\t Develop and implement formal processes and procedures for restricting and monitoring access to\n      the NEMIS production directories to ensure that the principles of least privilege and segregation\n      of duties are enforced. The process should include requirements over the monitoring of NEMIS\n      system directories to ensure that no changes have occurred after the approval of NEMIS system\n      changes has occurred. Additionally, FEMA should limit developers\xe2\x80\x99 access to the NEMIS\n      production directories to \xe2\x80\x9cread only\xe2\x80\x9d and segregate the responsibility for delivering application\n      code changes into the NEMIS directory server from the contractor to an independent control\n      group.\n4.\t For Contingency Planning:\n   \xef\xbf\xbd\t Complete on-going efforts to establish and implement an alternate processing site for NEMIS.\n      Until an alternate processing site is established, obtain a current waiver approved by DHS and\n      ensure that identified compensating controls are operating effectively to address the lack of an\n      alternate processing site.\nOther Findings in IT General Controls\nConditions: Although not considered to be a material weakness, we also noted the following other\nmatters related to IT control deficiencies during the FY 2009 IT audit procedures at FEMA:\n1.\t Security Management \xe2\x80\x93 we noted:\n   \xef\xbf\xbd\t The revised system security plan (SSP) for NEMIS did not fully document the systems\n      boundaries, define all subsystems and major applications, or establish security responsibilities for\n      all system components;\n   \xef\xbf\xbd\t The C&A for the legacy National Flood Insurance Program (NFIP) IT system pertaining to the\n      Traverse application, Transaction Recording and Reporting Processing (TRRP) application, and\n      NFIP LAN was expired, and the system was operating without a current ATO;\n   \xef\xbf\xbd\t For the majority of FY 2009, a finalized and executed Memorandum of Understanding and an\n      Interconnection Sharing Agreement was not in place between FEMA and the Department of the\n      Treasury. (Note: This issue was fully remediated during the audit and no further\n      recommendation was required.);\n   \xef\xbf\xbd\t Procedures for managing IT security incidents were not developed, approved, and implemented,\n      and our unannounced vulnerability assessment scanning activity was not detected and\n      appropriately reported by FEMA IT, in accordance with DHS and FEMA incident response\n      policy;\n\n\n\n\n                                                    8\n     Information Technology Management Letter for FEMA Component of the FY 2009 DHS \n\n                                    Integrated Audit\n \n\n\x0c                                Department of Homeland Security\n \n\n                            Federal Emergency Management Agency \n\n                            Information Technology Management Letter \n\n                                       September 30, 2009\n\n\n   \xef\xbf\xbd\t FEMA Office of the Chief Financial Officer (OCFO) and NFIP financial systems development\n      and acquisition projects were undertaken and progressed without: (1) proper oversight of and\n      direction to contractors, (2) development and approval of required project documentation, (3) the\n      continual involvement of the Office of the Chief Information Officer (OCIO) to ensure\n      appropriate consideration and integration of IT security, and (4) the joint communication and\n      decision-making of FEMA OCFO, OCIO, and NFIP management;\n   \xef\xbf\xbd\t Suitability investigations for FEMA federal employees and contractors were not appropriately\n      conducted, and position designations associated with employees and contractors with elevated\n      system privileges did not have appropriate position sensitivity designations. Additionally, formal\n      procedures were not developed or implemented for conducting suitability screenings for\n      contractors accessing DHS IT systems; and\n   \xef\xbf\xbd\t FEMA did not have a process for tracking the status of contractors or an effective and formal\n      process for notifying the OCIO of changes in contractor status so that user accounts could be\n      appropriately disabled, removed, or modified in a timely manner.\n2.\t Access Controls \xe2\x80\x93 we noted:\n   \xef\xbf\xbd\t A formalized process did not exist to guide Core IFMIS staff in the modification of system\n      accounts to ensure that appropriate privileges were created, documented, and approved for a\n      specific security function, and the use of function modification privileges was not monitored;\n   \xef\xbf\xbd\t The Core IFMIS database and TRRP system were configured with weak passwords that did not\n      comply with DHS policy. (Note: TRRP password settings were reconfigured during the audit to\n      exceed DHS requirements. The weakness was fully remedied and no further recommendation was\n      required.);\n   \xef\xbf\xbd\t FEMA end-user workstations were not properly configured to activate a password-protected\n      screensaver after 5 minutes of inactivity, as required by DHS policy;\n   \xef\xbf\xbd\t Policies and procedures that require periodic documented recertification of NFIP data center\n      access at a defined frequency were not developed and implemented; and\n   \xef\xbf\xbd\t Processes to formally document authorizations, approvals, business needs, and recertification of\n      TRRP system service accounts were not established. As a result, evidence that service accounts\n      were authorized was not on file, and service accounts were not included in TRRP recertification\n      efforts.\n   We also identified exceptions related to access controls during our after-hours physical security\n   testing. Details of the exceptions identified are outlined in the After-Hours Physical Security Testing\n   section of this report.\n3.\t Configuration Management \xe2\x80\x93 we noted:\n   \xef\xbf\xbd\t Formal procedures were not implemented to require monitoring of developers\xe2\x80\x99 changes to Core\n      IFMIS directories and sub-directories to financial applications to review and validate\n      implemented changes, and informal reviews of developer activities were not routinely performed\n      and documented;\n\n\n\n                                                    9\n     Information Technology Management Letter for FEMA Component of the FY 2009 DHS \n\n                                    Integrated Audit\n \n\n\x0c                                 Department of Homeland Security\n \n\n                             Federal Emergency Management Agency \n\n                             Information Technology Management Letter \n\n                                        September 30, 2009\n\n\n   \xef\xbf\xbd\t The configuration management plans for the NFIP Traverse and TRRP systems did not\n      comprehensively provide guidance to address all configuration management control elements\n      required by FEMA and DHS policy;\n   \xef\xbf\xbd\t TRRP changes were not approved prior to development and implementation into production;\n   \xef\xbf\xbd\t Procedures for approving, testing, and ensuring timely installation of operating system patches for\n      the NFIP LAN, Traverse, Core IFMIS, and G&T IFMIS were not developed and implemented;\n   \xef\xbf\xbd\t Formal procedures for conducting internal scans of the Core IFMIS, G&T IFMIS, and NFIP LAN\n      and Traverse operating system were not developed, remediation of vulnerabilities identified\n      during internal scans were not tracked and monitored, and certain workstations were excluded\n      from the scope of NFIP LAN scans conducted; and\n   \xef\xbf\xbd\t The third-party development vendor was allowed use of NFIP system administrator accounts to\n      logon and create sessions for installing Traverse system changes, and a formal process was not\n      established for monitoring changes made by the vendor.\n4.\t Segregation of Duties \xe2\x80\x93 we noted:\n   \xef\xbf\xbd\t Incompatible duties that must remain segregated when granting and maintaining Traverse user\n      access and processes for segregating incompatible duties within Traverse were not formally\n      documented in existing policies and procedures.\n5.\t Contingency Planning \xe2\x80\x93 we noted:\n   \xef\xbf\xbd\t NEMIS backup tapes were not regularly tested in accordance with policy;\n   \xef\xbf\xbd\t Full scale testing of the NEMIS contingency plan was not conducted, and the plan did not\n      adequately and comprehensively include information for fully restoring NEMIS in accordance\n      with requirements for high impact availability systems or accurately include NEMIS system\n      architecture information. Additionally, the waiver approved by DHS that identified table-top\n      testing as a compensating control for FEMA\xe2\x80\x99s inability to fully test NEMIS was expired; and\n   \xef\xbf\xbd\t The existing TRRP and Traverse contingency plans and NFIP Bureau and Statistical Agent\n      Disaster Recovery and Continuity of Operations Plan were not current or tested for systems\n      recovery and failover capability at the alternate processing site. Additionally, the Traverse and\n      TRRP alternate processing facility and TRRP critical data files were not documented in the\n      existing disaster recovery and continuity of operations plan.\nRecommendations: We recommend that the FEMA CIO, FEMA CFO, and other appropriate FEMA\nmanagement, in coordination with the DHS CIO and Acting CFO, make the following improvements to\nFEMA\xe2\x80\x99s financial management systems:\n1.\t For Security Management:\n   \xef\xbf\xbd\t     Ensure that the NEMIS SSP is updated in accordance with DHS policy so that the system\xe2\x80\x99s\n          boundaries, components, and roles and responsibilities are properly defined and documented;\n   \xef\xbf\xbd\t Complete the recertification and accreditation of the NFIP legacy system and re-authorize the\n      system for operation, in accordance with DHS policies and Federal guidance;\n\n\n                                                   10\n        Information Technology Management Letter for FEMA Component of the FY 2009 DHS \n\n                                       Integrated Audit\n \n\n\x0c                                Department of Homeland Security\n \n\n                            Federal Emergency Management Agency \n\n                            Information Technology Management Letter \n\n                                       September 30, 2009\n\n\n   \xef\xbf\xbd\t Develop and implement approved procedures for managing security incidents that clearly outline\n      roles and responsibilities required to maintain a continuous incident response capability, and\n      provide training to all personnel with assigned roles and responsibilities;\n   \xef\xbf\xbd\t Define and implement formal and repeatable processes to ensure that financial systems\n      development and acquisition projects are conducted in compliance with DHS System Engineering\n      Life Cycle and acquisition requirements and Federal guidance;\n   \xef\xbf\xbd\t Further refine processes to ensure that background investigations for all types of federal\n      employees and contractors are performed, and reevaluate and assign the correct position\n      sensitivity levels for federal employees and contractors with access to DHS information systems.\n      FEMA Acquisitions, FEMA Personnel Security, and FEMA IT should also work together to\n      implement procedures to ensure a more centralized and coordinated process for tracking and\n      completing background investigations over contracting personnel, in accordance with DHS\n      policy; and\n   \xef\xbf\xbd\t Document and implement procedures for tracking contract on-boards, transfers, and separations\n      that include assignment of roles and responsibilities to appropriate FEMA management and\n      stakeholders and steps for notifying the OCIO and system owners of changes in contractor status\n      that require changes to user access.\n2.\t For Access Controls:\n   \xef\xbf\xbd\t Develop and implement policies and procedures that document the process of adding, deleting,\n      and modifying Core IFMIS security functions to ensure that the proper controls are in place for\n      modifying user account privileges. Additionally, ensure that the use of function modification\n      privileges is monitored;\n   \xef\xbf\xbd\t Reconfigure Core IFMIS database passwords to enforce full compliance with DHS policy;\n   \xef\xbf\xbd\t Configure the FEMA LAN domain security policy to automatically activate password-protected\n      screensavers on end-user workstations after the period of inactivity defined in DHS policy;\n   \xef\xbf\xbd\t Develop and implement policies and procedures for periodic recertification of physical access to\n      the NFIP data center, to include the required frequency of reviews and the documentation that\n      should be maintained as evidence of reviews conducted; and\n   \xef\xbf\xbd\t Revise the TRRP access control policies and procedures to ensure that the creation of service\n      accounts are appropriately authorized and that a clear business need is established and\n      documented. Additionally, ensure that policies and procedures over TRRP access authorization\n      include the recertification of service accounts in accordance with DHS policy.\n3.\t For Configuration Management:\n   \xef\xbf\xbd\t Develop and implement formal procedures for conducting periodic reviews of Core IFMIS\n      developer changes to financial application directories and sub-directories to verify that only\n      authorized changes are implemented into production and for retaining evidence of reviews\n      conducted on file;\n\n\n\n\n                                                   11\n     Information Technology Management Letter for FEMA Component of the FY 2009 DHS \n\n                                    Integrated Audit\n \n\n\x0c                             Department of Homeland Security\n \n\n                         Federal Emergency Management Agency \n\n                         Information Technology Management Letter \n\n                                    September 30, 2009\n\n\n\xef\xbf\xbd\t Update the current versions of NFIP Traverse and TRRP configuration management procedures to\n   comprehensively address DHS and FEMA requirements, including requirements to initially\n   approve changes prior to development and implementation in the production environment;\n\xef\xbf\xbd\t Ensure the implementation of an updated version of the current TRRP configuration management\n   procedures that comprehensively addresses requirements. The procedures should require initial\n   approvals of change requests and establish a process for obtaining Change Control Board and\n   Technical Review Committee approvals prior to implementing changes into production;\n\xef\xbf\xbd\t Document, finalize, and implement comprehensive patch management policies and procedures\n   that outline requirements for authorizing, testing, and installing required NFIP LAN, Traverse,\n   Core IFMIS, and G&T IFMIS operating system patches. The policies and procedures should\n   establish timeframes for installing required patches;\n\xef\xbf\xbd\t Develop, finalize, and implement formal procedures over Core and G&T IFMIS and the NFIP\n   LAN and Traverse operating system for: (1) conducting periodic internal vulnerability scans of\n   FEMA and NFIP financial systems; (2) assessing, reporting, and tracking and monitoring\n   correcting vulnerabilities identified during internal scans; and (3) ensuring all workstations are\n   included in the scope of scans; and\n\xef\xbf\xbd\t Establish a separate account for use by the NFIP third-party development vendor when\n   implementing Traverse changes that is limited to activation on an as-needed basis, and establish a\n   process for monitoring and verifying that configuration changes by the vendor are implemented\n   and documented in accordance with policy.\n\n\n\n\n                                                12\n Information Technology Management Letter for FEMA Component of the FY 2009 DHS \n\n                                Integrated Audit\n \n\n\x0c                                     Department of Homeland Security\n \n\n                                 Federal Emergency Management Agency \n\n                                 Information Technology Management Letter \n\n                                            September 30, 2009\n\n\n4. For Segregation of Duties:\n    \xef\xbf\xbd\t Document incompatible duties that must remain segregated when granting and maintaining\n       Traverse user access, and update existing policies and procedures to include requirements for\n       properly segregating incompatible duties within Traverse.\n5.\t For Contingency Planning:\n    \xef\xbf\xbd\t Periodically test NEMIS backup tapes at a frequency that is in accordance with policy;\n    \xef\xbf\xbd\t Update the NEMIS contingency plan in accordance with DHS requirements for high impact\n       availability systems, inclusive of accurate system architecture information; conduct documented\n       annual tests of the plan; and as necessary, update the plan with lessons learned from testing. If the\n       NEMIS contingency plan cannot be tested, obtain DHS approved waiver, and implement effective\n       compensating and mitigating controls; and\n    \xef\xbf\xbd\t Update and appropriately test the TRRP and Traverse contingency plans and NFIP Bureau and\n       Statistical Agent Disaster Recovery and Continuity of Operations Plan, in accordance with DHS\n       requirements for high impact systems, and test fail-over capability at the alternate processing site.\n       Additionally, incorporate the Traverse and TRRP alternate processing facility and critical data\n       files into the revised NFIP Bureau and Statistical Agent Disaster Recovery and Continuity of\n       Operations Plan.\nAfter-Hours Physical Security Testing\n\nWe performed after-hours physical security testing to identify risks related to non-technical aspects of IT\nsecurity. These non-technical IT security aspects included physical access to media and equipment that\nhoused financial data and information residing on a FEMA employee\xe2\x80\x99s / contractor\xe2\x80\x99s desk, which could\nbe used by others to gain unauthorized access to systems housing financial information. The testing was\nperformed at various FEMA locations that process and / or maintain financial data.\nConditions: Although not considered to be a material weakness, we noted the following other matters\nthat resulted from our after-hours physical security testing during the FY 2009 audit engagement:\n\n                                                               Locations\n                                               FEMA                           FEMA Design    Total Exceptions\n             Exceptions Noted               Headquarters    Patriot\xe2\x80\x99s Plaza     Center           by Type\nUnprotected Passwords                            18               19              5                 42\nExternal Memory Drives                            0                2              2                 4\nFor Official Use Only (FOUO)                      0                1              1                 2\nKeys/Badges                                       0                0              2                 2\nPersonally Identifiable Information (PII)         0                1              1                 2\nServer Names/IP Addresses                         0                0              1                 1\nUnsecured Workstations or Laptops                 0                1              0                 1\nCredit Cards                                      0                0              0                 0\nClassified Documents                              0                0              0                 0\nOther \xe2\x80\x93US government official passport            0                0              0                 0\nTotal Exceptions by Location                     18               24              12                54\n\n\n\n\n                                                       13\n      Information Technology Management Letter for FEMA Component of the FY 2009 DHS \n\n                                     Integrated Audit\n \n\n\x0c                                  Department of Homeland Security\n \n\n                              Federal Emergency Management Agency \n\n                              Information Technology Management Letter \n\n                                         September 30, 2009\n\n\nRecommendations: We recommend that the appropriate FEMA management review the effectiveness of\nexisting security awareness programs designed to protect electronic and physical data and ensure that\nindividuals are adequately instructed and reminded of their roles in the protection of both electronic and\nphysical FEMA data and hardware. Additionally, FEMA employees and contractors should be made\naware of the need to protect PII, as well as information marked \xe2\x80\x9cFOUO.\xe2\x80\x9d\nCauses/Effects for IT General Control Findings:\nMany of these deficiencies originate from policy and system development activities that did not\nincorporate strong security controls from the outset and will take several years to fully remediate. While\nFEMA has made improvements in addressing the root cause of some IT deficiencies and has worked to\nimprove security controls, we found that focus is often still placed on the tracking of responses to audit\nrecommendations, instead of on developing the most effective method of addressing the actual control\ndeficiency. When deficiencies in controls or processes are identified, we noted that corrective actions\nimplemented address the symptom of the problem and do not always correct the root cause, resulting in a\ntemporary fix. Further, detection of these temporary fixes through self-evaluation is not effective, due to\ninsufficient testing of IT controls and remediation activities. Finally, FEMA has undertaken several high\npriority and competing IT initiatives to improve its control environment and does not always have\nsufficient resources to direct towards the implementation of security controls in a consistent manner.\nReasonable assurance should be provided that financial system user access levels are limited and\nmonitored for appropriateness and that all user accounts belong to current employees and contractors.\nFurthermore, monitoring of the more highly privileged accounts is essential. The deficiencies identified\nin FEMA\xe2\x80\x99s access controls increase the risk that employees and contractors may have access to a system\nthat is outside the realm of their job responsibilities or that a separated individual, or another person with\nknowledge of an active account of a terminated employee or contractor, could use the account to alter the\ndata contained within the application or database without being detected. This may also increase the risk\nthat the confidentiality, integrity, and availability of system controls and the financial data could be\nexploited, thereby compromising the integrity of financial data used by management and reported in the\nDHS financial statements.\nThe lack of fully implemented security configuration management controls may result in security\nresponsibilities being improperly communicated to system developers as well as the improper\nimplementation and monitoring of system changes. This also increases the risk of unsubstantiated\nchanges and changes that may introduce errors or data integrity issues that are not easily traceable back to\nthe changes. In addition, it increases the risk of undocumented and unauthorized changes to critical or\nsensitive information and systems, which may reduce the reliability of information produced by these\nsystems.\nThe deficiencies in security management controls identified may result in systems being developed and\nimplemented without proper identification and management of IT security risks. As a result, FEMA\nmanagement decisions may be based on incomplete or inaccurate information, and IT controls may not be\ndesigned and implemented to adequately protect financial systems data and information. Additionally,\nthe lack of implemented incident response procedures may result in suspected incidents not being\nappropriately detected, reported, and managed within the timeliness needed to prevent or minimize the\nimpact to information resources. Finally, individuals who are unable to obtain favorable background\ninvestigations or who no longer have a need for access and privileges based on their employment status\n\n\n                                                      14\n     Information Technology Management Letter for FEMA Component of the FY 2009 DHS \n\n                                    Integrated Audit\n \n\n\x0c                                 Department of Homeland Security\n \n\n                             Federal Emergency Management Agency \n\n                             Information Technology Management Letter \n\n                                        September 30, 2009\n\n\nand current job responsibilities, may be inappropriately granted and/or maintain access to financial\nsystems and data.\nA lack of segregation of duties policies and procedures may result in conflicting systems roles and\nprivileges being granted to individuals. Additionally, if inappropriate data manipulation occurs, FEMA\nmanagement may not be able to quickly determine if a segregation of duties conflict within roles and\nresponsibilities resulted in the infraction and would have little recourse for taking action against users\neffectuating the violation.\nThe deficiencies related to contingency planning controls that we identified may result in FEMA\xe2\x80\x99s\ninability to recover financial systems and data during interruptions to financial processing so that\noperations can resume. Consequently, financial data may be lost or incorrectly processed. Moreover,\ndeficiencies in contingency planning controls may negatively impact FEMA\xe2\x80\x99s national emergency\nmanagement mission. Specifically, if FEMA were unable to recover and resume operations for NEMIS\nduring states of emergencies or disasters, national response capabilities could be hindered.\nCriteria for IT General Control Findings\nThe criteria used during our FY 2009 audit procedures over IT general controls consisted of Federal\ngovernment and DHS IT security requirements. The Federal Information Security Management Act\n(FISMA), passed as part of the Electronic Government Act of 2002, mandates that Federal entities maintain IT\nsecurity programs in accordance with Office of Management and Budget (OMB) and NIST guidance. OMB\nCircular No. A-130, Management of Federal Information Resources, and various NIST guidelines, including\nNIST Special Publication 800-53 (revision 2), Recommended Security Controls for Federal Information\nSystems, describe specific essential criteria for maintaining effective IT general controls. In addition, OMB\nCircular No. A-127, Financial Management Systems, prescribes policies and standards for Executive Branch\ndepartments and agencies to follow in developing, operating, evaluating, and reporting on financial\nmanagement systems. For this year\xe2\x80\x99s IT audit procedures, we also assessed FEMA\xe2\x80\x99s compliance with DHS\nSensitive Systems Policy Directive 4300A, Information Technology Security Program.\n\n\n\n\n                                                    15\n     Information Technology Management Letter for FEMA Component of the FY 2009 DHS \n\n                                    Integrated Audit\n \n\n\x0c                                Department of Homeland Security\n \n\n                            Federal Emergency Management Agency \n\n                            Information Technology Management Letter\n                                       September 30, 2009\n\n\n\n                         APPLICATION CONTROL FINDINGS\nWe concluded that application controls over NEMIS, Core IFMIS, G&T IFMIS, and PARS could not be\nrelied upon for purposes of our FY 2009 audit procedures because of the nature of general IT control\ndeficiencies identified and discussed above. As a result, we did not test application controls for these\nfinancial systems. However, we conducted certain application control testing over key financial systems\nsupporting NFIP. Based on the testwork conducted, no application control weaknesses were identified\nduring our FY 2009 testing at FEMA.\n\n\n             MANAGEMENT\xe2\x80\x99S COMMENTS AND OIG RESPONSE\n\nWe obtained written comments on a draft of this report from the FEMA management. The FEMA\nmanagement agreed with all of our findings and recommendations. The FEMA management has\ndeveloped a remediation plan to address these findings and recommendations. We have included a copy\nof the comments in Appendix D.\n\nOIG Response\n\nWe agree with the steps that FEMA management is taking to satisfy these recommendations.\n\n\n\n\n                                                   16\n     Information Technology Management Letter for FEMA Component of the FY 2009 DHS \n\n                                    Integrated Audit\n \n\n\x0c                                                                          Appendix A\n\n                         Department of Homeland Security\n \n\n                     Federal Emergency Management Agency \n\n                     Information Technology Management Letter \n\n                                September 30, 2009\n\n\n\n\n                                  Appendix A \n\n\n  Description of Key Federal Emergency Management Agency Financial\n \n\nSystems and Information Technology Infrastructure within the Scope of the \n\n FY 2009 Department of Homeland Security Integrated Audit Engagement \n\n\n\n\n\n                                        17\n  Information Technology Management Letter for FEMA Component of the FY 2009 DHS \n\n                                 Integrated Audit\n \n\n\x0c                                                                                         Appendix A\n\n                             Department of Homeland Security\n \n\n                         Federal Emergency Management Agency \n\n                         Information Technology Management Letter \n\n                                    September 30, 2009\n\n\nBelow is a description of significant Federal Emergency Management Agency (FEMA) financial\nmanagement systems and supporting information technology (IT) infrastructure included in the scope\nof the FY 2009 engagement to perform the financial statement audit.\n\nLocations of Audit: FEMA Headquarters in Washington, D.C.; the Mount Weather Emergency\nOperations Center in Bluemont, Virginia; IT operations in Winchester, VA; the National Flood\nInsurance Program (NFIP) in Crystal City, Virginia; and the NFIP contractor location in Lanham,\nMaryland.\n\nKey Systems Subject to Audit:\n\n\xef\xbf\xbd\t Core Integrated Financial Management Information System (IFMIS): Core IFMIS is the primary\n   financial reporting system and has several feeder subsystems (budget, procurement, accounting,\n   and other administrative processes and reporting).\n\n\xef\xbf\xbd\t Grants and Training (G&T) IFMIS: G&T IFMIS was moved from the Department of Justice into\n   the FEMA environment in FY 2007. The system stores former G&T financial information.\n\n\xef\xbf\xbd\t Payment and Reporting System (PARS): PARS is a standalone web-based application that resides\n   on the G&T IFMIS UNIX server. Through its web interface, PARS collects and stores Standard\n   Form 269 information from grantees. Cron jobs are run daily to update the grant information\n   from PARS into G&T IFMIS. Additionally, through these cron jobs, PARS is also updated with\n   the obligation information from G&T IFMIS to provide updated information to its users.\n\n\xef\xbf\xbd\t National Emergency Management Information System (NEMIS): NEMIS is an integrated system\n   to provide FEMA, states, and certain other federal agencies with automation to perform disaster\n   related operations. NEMIS supports all phases of emergency management and provides financial\n   related data to Core IFMIS via an automated interface.\n\n\xef\xbf\xbd\t Traverse: Travers is the general ledger application currently used by the NFIP Bureau and\n   Statistical Agent to generate the NFIP financial statements. Traverse is a client-server application\n   that runs on the NFIP Local Area Network Windows server in Lanham, MD. The Traverse client\n   is installed on the desktop computers of the NFIP Bureau of Financial Statistical Control group\n   members.\n\n\xef\xbf\xbd\t Transaction Recording and Reporting Processing (TRRP): The TRRP application acts as a\n   central repository of all data submitted by the Write Your Own (WYO) companies for the NFIP.\n   TRRP also supports the WYO program, primarily by ensuring the quality of financial data\n   submitted by the WYO companies to TRRP. TRRP is a mainframe-based application that runs on\n   the NFIP mainframe logical partition in Norwich, Connecticut.\n\n\n\n\n                                                18\n Information Technology Management Letter for FEMA Component of the FY 2009 DHS \n\n                                Integrated Audit\n \n\n\x0c                                                                           Appendix B\n\n                          Department of Homeland Security\n \n\n                      Federal Emergency Management Agency \n\n                      Information Technology Management Letter \n\n                                 September 30, 2009\n\n\n\n\n                                   Appendix B\n\nFY 2009 Notices of Information Technology Findings and Recommendations\n             at the Federal Emergency Management Agency\n\n\n\n\n                                         19\n   Information Technology Management Letter for FEMA Component of the FY 2009 DHS \n\n                                  Integrated Audit\n \n\n\x0c                                                                                             Appendix B\n\n                                   Department of Homeland Security\n \n\n                               Federal Emergency Management Agency \n\n                               Information Technology Management Letter \n\n                                          September 30, 2009\n\n\nNotice of Findings and Recommendations (NFR) \xe2\x80\x93 Definition of Severity Ratings:\n\nEach NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on the\nDepartment of Homeland Security (DHS) Independent Auditors\xe2\x80\x99 Report.\n\n      1 \xe2\x80\x93 Not substantial\n\n      2 \xe2\x80\x93 Less significant \n\n      3 \xe2\x80\x93 More significant \n\n\nThe severity ratings indicate the degree to which the deficiency influenced the determination of severity\nfor consolidated reporting purposes.\n\nThese rating are provided only to assist the Federal Emergency Management Agency (FEMA) in the\ndevelopment of its corrective action plans for remediation of the deficiency.\n\n\n\n\n                                                    20\n     Information Technology Management Letter for FEMA Component of the FY 2009 DHS \n\n                                    Integrated Audit\n \n\n\x0c                                                                                                                                        Appendix B\n\n                                                  Department of Homeland Security\n \n\n                                              Federal Emergency Management Agency \n\n                                              Information Technology Management Letter \n\n                                                         September 30, 2009\n\n\n                                                                                                                                        Repeat    Risk\nNFR #                            Condition                                           Recommendation                         New Issue\n                                                                                                                                         Issue   Rating\n FEMA\xc2\xad     Password, patch management, and configuration             Implement the specific corrective actions listedXin                           3\nIT-09-02   management weaknesses were identified during              the NFR for each technical control weakness\n           vulnerability assessment technical testing.               identified.\n           Note: Due to the nature of this finding, see the tables\n           in associated NFR for the specific details of the\n           conditions.\n FEMA\xc2\xad     The process outlined for the Core Integrated Financial    \xef\xbf\xbd    Revise applicable FEMA policies and         X                              3\nIT-09-03   Management        Information     System      (IFMIS)          procedures to require that any accounts which\n           recertification that initiated on January 12, 2009,            are not positively verified during the periodic\n           required that a new FEMA Form 20-24 be approved                review of IFMIS accounts for recertification\n           and submitted to the Financial Systems Section (FSS)           are revoked until a new approved FEMA Form\n           for all current IFMIS users, and also required                 20-24 is received by FSS personnel.\n           revocation of any accounts that could not be validated.\n           However, we noted that the requirement to revoke          \xef\xbf\xbd    Dedicate resources to ensure that consistent\n           access is not documented in the Office of the Chief            application of FEMA policies/procedures and\n           Financial Officer (OCFO) Procedures for Granting               DHS policy is performed by revoking access\n           Access to IFMIS or FEMA Instruction 2200.7, IFMIS              for all IFMIS application accounts not\n           User Access Policy and Procedures.                             validated through submission of a new FEMA\n                                                                          Form 20-24 as part of the periodic account\n           We reviewed access authorization documentation for a           review.\n           selection of 40 active Core IFMIS user accounts, noted\n           that 2 accounts did not have a FEMA Form 20-24\n           completed after January 12, 2009, and concluded that\n           the accounts were not appropriately recertified and\n           validated as belonging to current users. Additionally,\n           access for the 2 accounts was not revoked, per the\n           process described in the memorandum.\n\n\n\n\n                                                                         21\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                        Appendix B\n\n                                                  Department of Homeland Security\n \n\n                                              Federal Emergency Management Agency \n\n                                              Information Technology Management Letter \n\n                                                         September 30, 2009\n\n                                                                                                                                        Repeat    Risk\nNFR #                            Condition                                            Recommendation                        New Issue\n                                                                                                                                         Issue   Rating\n FEMA\xc2\xad     During the FY 2009 follow-up testwork, we noted that       Develop and implement policies and procedures   X                            2\nIT-09-06   FEMA has obtained and distributed a reference guide        documenting the process of adding, deleting, and\n           that documents the purpose of Core IFMIS system            modifying Core IFMIS system security functions\n           security functions and their associated permissions and    to ensure that the proper controls are in place for\n           configuration options. However, the guide does not         modifying user account privileges. Additionally,\n           include policies and procedures addressing process         these policies and procedures should include\n           requirements for adding, deleting, and modifying Core      requirements over the monitoring of the usage of\n           IFMIS system security functions. We also determined        function modification privileges, configuration\n           that no additional policies and procedures have been       changes implemented for Core IFMIS system\n           developed by FEMA or the IT developer of IFMIS             security functions, and requirements over updating\n           that establish a process for implementing change           system documentation for changes in the system\n           controls for the maintenance of system security            security functions.\n           functions and their associated privileges.\n           FEMA management represented to us that access to\n           the security menu is limited, individuals with access to\n           the menu do not use their privileges to delete, create,\n           or modify functions, and changes are made to Core\n           IFMIS system security functions through the standard\n           change control process. However, we noted there are\n           no controls in place to restrict and/or monitor the use\n           of these privileges to ensure that system security\n           functions are not modified, created, or deleted.\n           Based on our testwork, we concluded that a formalized\n           process for modifying specific Core IFMIS system\n           security functions to ensure that appropriate privileges\n           are created, documented, approved, and monitored\n           does not exist.\n\n\n\n\n                                                                        22\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                       Appendix B\n\n                                                 Department of Homeland Security\n \n\n                                             Federal Emergency Management Agency \n\n                                             Information Technology Management Letter \n\n                                                        September 30, 2009\n\n                                                                                                                                       Repeat    Risk\nNFR #                           Condition                                           Recommendation                         New Issue\n                                                                                                                                        Issue   Rating\n FEMA\xc2\xad     The standard operating procedure (SOP) for               \xef\xbf\xbd                                            X\n                                                                         Dedicate resources to complete the on-going                              3\nIT-09-12   recertification of National Emergency Management              review of NEMIS user access for FY 2009 and\n           Information System (NEMIS) positions has not been             perform subsequent reviews, as required by\n           finalized and implemented to require a semi-annual            DHS policy.\n           review of all user roles within the NEMIS Access\n           Control System (NACS), including privileges related      \xef\xbf\xbd    Finalize and fully implement formal\n           to access to specific NEMIS applications and modules.         procedures for conducting the NEMIS\n                                                                         recertification process and retaining auditable\n           Furthermore, we determined that FEMA Enterprise               records, in accordance with DHS policy. .\n           Operations staff completed development of the\n           technical infrastructure within NACS to support the\n           recertification effort at the end of FY 2008. However,\n           we determined that the FY 2008 recertification of\n           NEMIS/NACS roles was not completed and FEMA\n           initiated but did not complete the FY 2009\n           recertification that was scheduled for completion by\n           April 30, 2009.\n FEMA\xc2\xad     During FY 2009, we performed test work over              \xef\xbf\xbd                                              X\n                                                                         Evaluate and, if appropriate, revise existing                              3\nIT-09-13   security controls in place for Core IFMIS, NEMIS,             procedures over removal of separated user\n           and the FEMA iPass/virtual private network (VPN)              access to IT systems to identify weaknesses\n           remote access system, including follow-up testing on          that contribute to untimely removal of\n           the prior year finding.                                       separated individuals from the information\n                                                                         systems.\n           Through comparison of active Core IFMIS, NEMIS,\n           and iPass/VPN remote access accounts against a list of   \xef\xbf\xbd    Ensure that procedures and processes are\n           FEMA employees that had separated from                        implemented consistently to remove system\n           employment since October 1, 2008, we determined               and application accounts for all separated\n           that 1 Core IFMIS account, 62 NEMIS accounts, and             users immediately upon notification of\n           28 iPass/VPN accounts remained active and unlocked            separation, in accordance with FEMA, DHS,\n           after the account holder\xe2\x80\x99s separation from FEMA.              and National Institute of Standards and\n           Additionally, of the 28 active iPass/VPN accounts, we         Technology (NIST) guidance.\n           determined that 11 also had at least one active NACS\n\n\n                                                                        23\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                        Appendix B\n\n                                                  Department of Homeland Security\n \n\n                                              Federal Emergency Management Agency \n\n                                              Information Technology Management Letter \n\n                                                         September 30, 2009\n\n                                                                                                                                        Repeat    Risk\nNFR #                            Condition                                            Recommendation                        New Issue\n                                                                                                                                         Issue   Rating\n           role, indicating active remote access privileges to both\n           the FEMA network and NEMIS.\n\n FEMA\xc2\xad     During the FY 2009 follow-up testwork, we noted that       Implement compensating controls to address X    the                            2\nIT-09-17   FEMA has a SOP that outlines the controls intended to      risk associated with the segregation of duties\n           address the risk associated with the Core IFMIS            weakness related to developers making changes to\n           developers having the ability to migrate changes to the    the production environment. Specifically, FEMA\n           Core IFMIS production environment. The SOP, in             should develop and implement policies and\n           particular, requires the locking and unlocking of the      procedures for conducting periodic reviews to\n           ifmiscm account during the implementation of               verify that only authorized changes are made to the\n           software changes into production by system                 Core IFMIS production directories and\n           administrators. However, we determined that no             subdirectories by developers using the ifmiscm\n           formal procedures or processes are documented for          account. Additionally, the policies and procedures\n           performing reviews to verify that only authorized          should include requirements for retention of\n           changes to the ifmiscm directory and sub-directories       auditable evidence of the reviews that are\n           are implemented into production by the developers.         performed.\n           Additionally, we determined that although informal\n           reviews of the directories were performed during the\n           fiscal year, they were not routinely completed, and\n           documented evidence of the reviews performed was\n           not retained.\n\n FEMA\xc2\xad     FEMA Enterprise Operations personnel informed us           \xef\xbf\xbd                                              X\n                                                                           Revise the SOP, Monitoring Sensitive Access                               3\nIT-09-19   that the SOP, Monitoring Sensitive Access to NEMIS,             to NEMIS, to ensure that it states that the\n           was developed to outline the process for monitoring             scope of the procedures includes all servers\n           sensitive access to the NEMIS operating system.                 defined in up-to-date system documentation as\n           Based upon our review of the SOP, we noted that a list          supporting NEMIS system software within\n           of NEMIS servers that are considered to be within the           system boundaries for the financial\n           scope of the SOP are listed, but that specific hosts and        applications and modules.\n           server designations are not clearly defined.          In\n           particular, approximately 30 separate IT components        \xef\xbf\xbd    Acquire and deploy appropriate tools on\n           are described, and certain servers supporting web\xc2\xad              system software and operating systems\n\n\n\n                                                                          24\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                      Appendix B\n\n                                                  Department of Homeland Security\n \n\n                                              Federal Emergency Management Agency \n\n                                              Information Technology Management Letter \n\n                                                         September 30, 2009\n\n                                                                                                                                      Repeat    Risk\nNFR #                            Condition                                            Recommendation                      New Issue\n                                                                                                                                       Issue   Rating\n           facing applications for registration, applicant inquiry,        supporting the NEMIS financial applications\n           and assistance processing are listed. However, based            to generate audit trails and records in\n           on additional testwork and corroborative inquiry of             accordance with FEMA and DHS policy.\n           NEMIS personnel, we determined that at least 170\n           operating system servers for NEMIS are not                 \xef\xbf\xbd    Implement the SOP, Monitoring Sensitive\n           comprehensively included in the scope of the SOP.               Access to NEMIS, by reviewing and retaining\n                                                                           audit trails and records in accordance with\n           Additionally, FEMA informed us that outlined                    FEMA and DHS policy.\n           procedures for conducting the required reviews of\n           audit trails every 3 days and retaining evidence for at\n           least a year have not been implemented and the\n           NEMIS operating system activity is not currently\n           being logged or monitored. Additionally, we noted\n           that no application or tool is currently in place to\n           support the audit logging function on the NEMIS\n           Linux server.\n           Consequently, we concluded that FEMA has partially\n           addressed the prior year recommendation by including\n           review and retention requirements in the SOP for\n           monitoring NEMIS activity. However, the SOP has\n           not been implemented on the operating system\n           software supporting NEMIS and does not include all\n           NEMIS operating system servers within its scope.\n FEMA\xc2\xad     During our FY2009 follow-up testwork, we noted that        \xef\xbf\xbd    Continue and complete efforts required Xto                              3\nIT-09-22   FEMA was unable to take corrective action to                    establish and implement an alternate\n           establish and implement an alternate processing site            processing site for NEMIS according to DHS\n           for the NEMIS application. Additionally, a current              4300A.\n           waiver over the lack of an alternate processing site did\n           not exist.                                                 \xef\xbf\xbd    Until an alternate processing site is\n                                                                           established, develop and submit a waiver for\n           FEMA security personnel described compensating                  approval in accordance with DHS policy\n           controls surrounding the contingency planning\n\n\n                                                                          25\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                          Appendix B\n\n                                                    Department of Homeland Security\n \n\n                                                Federal Emergency Management Agency \n\n                                                Information Technology Management Letter \n\n                                                           September 30, 2009\n\n                                                                                                                                          Repeat    Risk\nNFR #                             Condition                                              Recommendation                       New Issue\n                                                                                                                                           Issue   Rating\n           process. Specifically, FEMA management informed                    regarding    waivers,    and     ensure that\n           us that in FY 2009 the NEMIS Contingency Plan was                  compensating controls over the alternate\n           partially tested through an annual table-top exercise to           processing     site   are     effective and\n           restore five of the NEMIS servers from backup tapes                documentation of their effectiveness is\n           at the Mt. Weather Emergency Operations Center                     maintained as auditable records.\n           (MWEOC).           Furthermore, FEMA management\n           informed us that compensating controls were also\n           provided through performance of full backups of\n           critical NEMIS data on a regular basis and the transfer\n           of these tapes to an offsite backup storage facility.\n           However, during further testwork and analysis, we\n           determined that there were weaknesses in the\n           compensating controls described by FEMA\n           management. In particular, we noted that while the\n           contingency plan was tested, a full restore of all the of\n           the NEMIS servers was not performed. Additionally,\n           backup tapes for NEMIS are not fully tested on a\n           periodic basis. (Please refer to NFRs FEMA-IT-09-24\n           and FEMA-IT-09-25 for further information.)\n FEMA\xc2\xad     In FY 2009, we conducted follow-up procedures to              Periodically test NEMIS backup tapes atX a                                    2\nIT-09-24   determine if FEMA had implemented corrective action           frequency that is in compliance with FEMA and\n           for the prior year finding and determined that NEMIS          DHS policy.\n           backup tapes were not regularly tested during FY\n           2009.\n\n FEMA\xc2\xad      During our FY 2009 audit, we conducted follow-up             \xef\xbf\xbd    Update the NEMIS Contingency Plan so that X                              2\nIT-09-25    procedures and determined that full-scale testing of              it meets the requirements of DHS policy for\n            the NEMIS Contingency Plan, in accordance with                    high      impact     availability    systems.\n            DHS requirements for high impact availability                     Additionally,    ensure    that   the    plan\n            systems, has not been conducted. FEMA provided us                 comprehensively addresses the numerous sub\xc2\xad\n            with the testing results of limited table-top testing that        systems within NEMIS so that detailed\n\n\n\n                                                                             26\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                         Appendix B\n\n                                                  Department of Homeland Security\n \n\n                                              Federal Emergency Management Agency \n\n                                              Information Technology Management Letter \n\n                                                         September 30, 2009\n\n                                                                                                                                         Repeat    Risk\nNFR #                            Condition                                            Recommendation                         New Issue\n                                                                                                                                          Issue   Rating\n            was performed to test the local restoration for 4 of          information exists over the current system\n            approximately 170 servers that comprise NEMIS.                architecture, critical processing priorities,\n            However, the DHS-approved waiver obtained in FY               detailed SOPs for systems recovery and other\n            2008 that listed table-top testing as a compensating          required components in accordance with DHS\n            control for FEMA\xe2\x80\x99s inability to fully test NEMIS was          guidance.\n            expired.\n                                                                     \xef\xbf\xbd    Conduct documented annual tests of the\n            In FY 2009, we also determined that the existing              NEMIS Contingency Plan that address all\n            NEMIS Contingency Plan does not adequately and                critical phases of the plan, and update the plan\n            comprehensively include information required by               with lessons learned, as necessary and in\n            DHS policy for systems with high impact availability.         accordance with DHS and NIST requirements.\n            For example, we noted the following weaknesses:\n                                                                     \xef\xbf\xbd    If the NEMIS contingency plan cannot be\n            \xef\xbf\xbd   Detailed information over NEMIS system                    tested in accordance with DHS guidance for\n                architecture such, as the database and server             high impact availability systems, develop,\n                names and information over the various modules            implement,     and    document       effective\n                of NEMIS, was not appropriately documented to             compensating and mitigating controls.\n                reflect the current operating environment.\n            \xef\xbf\xbd   The contingency plan did not include detailed\n                procedures necessary to fully restore the NEMIS\n                application in the event of an emergency.\n             \xef\xbf\xbd System/Application          Recovery       Priority\n                Classification have not been defined.\n             \xef\xbf\xbd Service Level Agreements and Memorandum of\n                Understandings (MOU) were not included in the\n                plan.\n             \xef\xbf\xbd The Business Impact Analysis included in the\n                contingency plan was completed in 2004 and\n                was not adequately documented.\n FEMA\xc2\xad     In FY 2009, we performed follow-up testwork over          In accordance with DHS and FEMA policy,X                                         3\nIT-09-28   NEMIS non-emergency system changes that occurred          ensure that when implementing the new NEMIS\n\n\n\n                                                                         27\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                    Appendix B\n\n                                                  Department of Homeland Security\n \n\n                                              Federal Emergency Management Agency \n\n                                              Information Technology Management Letter \n\n                                                         September 30, 2009\n\n                                                                                                                                    Repeat    Risk\nNFR #                            Condition                                           Recommendation                     New Issue\n                                                                                                                                     Issue   Rating\n           under the process established during the time frame of     non-emergency change control process that all\n           October 1, 2008 to February 28, 2009 prior to the          required approvals are obtained prior to\n           change in the NEMIS development contractors.               development and implementation of changes\n           Specifically, of the 25 NEMIS non-emergency                into production. Additionally, ensure that the\n           application level System Change Requests (SCR)             appropriate testing is conducted and that the\n           tested, we noted the following exceptions:                 testing documentation is appropriately retained\n                                                                      according to FEMA and DHS policy.\n           \xef\xbf\xbd   7 of 25 SCRs did not obtain documented SCR\n               approval prior to development;\n           \xef\xbf\xbd   21 of 25 SCRs did not obtain documented\n               Technical Development Laboratory (TDL)\n               approval prior to implementation in the test\n               environment;\n           \xef\xbf\xbd   2 of 25 SCRs did not obtain documented\n               Technical Review Committee (TRC) approval\n               prior to implementation into production; and\n           \xef\xbf\xbd   8 of 25 SCRs did not have testing documentation\n               to demonstrate that testing occurred.\n\n FEMA\xc2\xad     We tested a selection of 3 NEMIS emergency                 In accordance with DHS and FEMA policy,X                                   3\nIT-09-29   application level SCRs that occurred in the time frame     ensure that when implementing the new NEMIS\n           of October 1, 2008 to February 28, 2009 before             emergency change management process that all\n           NEMIS configuration management responsibility was          required approvals are obtained prior to\n           transitioned to the new contractor. Of the 3 SCRs          development and implementation of changes\n           tested, we noted that 1 was missing the required initial   into production. Additionally, ensure that the\n           approval prior to moving the change into the TDL           appropriate testing is conducted and that the\n           environment for testing.                                   testing documentation is appropriately retained\n                                                                      according to FEMA and DHS policy.\n\n\n\n\n                                                                        28\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                        Appendix B\n\n                                                  Department of Homeland Security\n \n\n                                              Federal Emergency Management Agency \n\n                                              Information Technology Management Letter \n\n                                                         September 30, 2009\n\n                                                                                                                                        Repeat    Risk\nNFR #                            Condition                                            Recommendation                        New Issue\n                                                                                                                                         Issue   Rating\n FEMA\xc2\xad     In FY 2009, we performed follow-up test work and           Continuing with our prior year recommendation,\n                                                                                                                   X                               1\nIT-09-38   determined that the National Flood Insurance Program       document Traverse duties that are incompatible,\n           (NFIP) contractor had documented system roles and          and develop and implement policies and\n           had implemented capabilities for enforcing                 procedures for properly segregating incompatible\n           segregation of duties for users within the Traverse        duties within the system when granting and\n           application currently. Also, as a mitigating control,      maintaining access.\n           the NFIP contractor reviews a User Log report\n           generated by Traverse for each financial user\xe2\x80\x99s system\n           access, which is reviewed and signed off on every\n           month to ensure that the appropriate privileges are\n           assigned. However, incompatible duties that must\n           remain segregated when granting and maintaining user\n           access to the Traverse application have not been\n           documented.\n           We were also reviewed the Traverse Standard\n           Operating Procedure (SOP) for Financial Processes\n           and noted that it states that a Traverse user log is\n           produced to show appropriate user access to perform\n           accounting duties and usage of the Traverse\n           accounting system. However, the SOP does not\n           include policies and procedures regarding segregating\n           incompatible duties within Traverse.\n FEMA\xc2\xad     The Traverse and Transaction Reporting and                 \xef\xbf\xbd    Complete the documentation and testing of Xthe                            2\nIT-09-39   Recording Processing (TRRP) Contingency Plan has                TRRP and Traverse Contingency Plan, to\n           not been tested, and a test of the system fail-over             include all critical phases of the plan in\n           capability at the alternate processing site has not been        accordance with DHS policy requirements for\n           conducted. Also, we did not receive the requested               high impact systems. In addition, conduct a\n           NFIP Certification & Accreditation (C&A) package                test of the system fail-over capability at the\n           that includes the Traverse and TRRP Contingency                 alternate processing site, and ensure that\n           Plan and the test results. As a result, we determined           TRRP and Traverse processing is tested in\n           that a current contingency plan for the TRRP and\n\n\n                                                                          29\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                       Appendix B\n\n                                                  Department of Homeland Security\n \n\n                                              Federal Emergency Management Agency \n\n                                              Information Technology Management Letter \n\n                                                         September 30, 2009\n\n                                                                                                                                       Repeat    Risk\nNFR #                            Condition                                          Recommendation                         New Issue\n                                                                                                                                        Issue   Rating\n           Traverse applications does not exist.                         accordance with DHS guidance.\n           At the time of our audit testwork, we were informed      \xef\xbf\xbd    Revise the NFIP Bureau and Statistical Agent\n           that due to delays in implementation of the new               Disaster Recovery and Continuity of\n           system of record, NFIP and the NFIP IT contractor             Operations Plan to incorporate the Traverse\n           had initiated efforts FEMA\xe2\x80\x99s Chief Information                and TRRP alternate processing facility and the\n           Security Officer (CISO) to recertify and accredit the         TRRP critical data files in accordance with\n           NFIP legacy system and update and test the Traverse           DHS guidance for high impact systems.\n           and TRRP Contingency Plan and NFIP Bureau and                 Additionally, the revised plan should be tested\n           Statistical Agent Disaster Recovery and Continuity of         and updated with lessons learned from the\n           Operations Plan.                                              testing.\n           Furthermore, the NFIP Bureau and Statistical Agent\n           Disaster Recovery and Continuity of Operations Plan\n           provided for auditor review does not incorporate the\n           Traverse and TRRP alternate processing facility or\n           TRRP critical data files.\n\n FEMA\xc2\xad     We determined that access for Core IFMIS Oracle          \xef\xbf\xbd    Review and revise the Office of the ChiefX                                 3\nIT-09-45   database users was appropriately documented and               Financial Officer\xe2\x80\x99s existing Procedures for\n           authorized. Thus, this portion of the prior year              Granting Access to IFMIS to require\n           recommendation, as it relates to the Core IFMIS               authorization of new and modified Core\n           database, is closed.                                          IFMIS user accounts by supervisors, program\n           Additionally, we reviewed a selection of 40 Core              managers, and contracting officers\xe2\x80\x99 technical\n           IFMIS Forms 20-24 (access request forms) for users            representatives (COTRs) in accordance with\n           who were either new IFMIS users during the fiscal             DHS guidance. The requirements should also\n           year or whose access profile changed during the fiscal        include the retention of Core IFMIS access\n           year outside of the recertification process. We               authorization documentation.\n           determined that of the 40 active application users       \xef\xbf\xbd    Develop and implement of policies and\n           tested:                                                       procedures over periodic recertification of all\n           \xef\xbf\xbd   Two users did not have a completed Form 20-24             user access to the Core IFMIS Oracle\n               on file;                                                  database, and retain auditable records in\n\n\n\n                                                                        30\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                      Appendix B\n\n                                                 Department of Homeland Security\n \n\n                                             Federal Emergency Management Agency \n\n                                             Information Technology Management Letter \n\n                                                        September 30, 2009\n\n                                                                                                                                      Repeat    Risk\nNFR #                           Condition                                           Recommendation                        New Issue\n                                                                                                                                       Issue   Rating\n           \xef\xbf\xbd   FEMA was unable to provide evidence that the             accordance with DHS policies and procedures\n               initial account creation of 10 accounts during FY        as evidence that recertifications are conducted\n               2009 was authorized; and                                 and completed periodically. Additionally, if\n           \xef\xbf\xbd   FEMA was unable to provide evidence that                 the Core IFMIS/Grants and Training (G&T)\n               modifications to account privileges for 10               IFMIS merger is performed in FY 2010,\n               accounts were authorized.                                ensure that a recertification of IFMIS Oracle\n                                                                        accounts is performed prior to the merger.\n           FEMA management additionally informed us that\n           recertification of IFMIS Oracle database accounts had\n           not been performed during FY 2009.\n\n           Consequently, we concluded that while certain\n           corrective actions to address weaknesses over Core\n           IFMIS account management have been implemented,\n           FEMA has not consistently maintained documentation\n           for initial account creation or subsequent account\n           modification for the application, and FEMA has not\n           developed or implemented a process to recertify\n           accounts on the IFMIS Oracle database.\n FEMA\xc2\xad     We determined that a MOU and Interconnection             No recommendation is required for this weaknessX                               1\nIT-09-46   Sharing Agreement (ISA) was documented, accepted,        that existed for the majority of FY 2009 because it\n           and signed by FEMA and the Department of the             was remedied on April 22, 2009 when the MOU\n           Treasury on April 22, 2009. Consequently, while the      and ISA were signed by FEMA and Department of\n           prior-year recommendation was addressed, the             the Treasury management.\n           interconnection was operating without authority for a\n           majority of the fiscal year, and the NFR is re-issued.\n\n\n\n\n                                                                      31\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                       Appendix B\n\n                                                  Department of Homeland Security\n \n\n                                              Federal Emergency Management Agency \n\n                                              Information Technology Management Letter \n\n                                                         September 30, 2009\n\n                                                                                                                                       Repeat    Risk\nNFR #                            Condition                                            Recommendation                       New Issue\n                                                                                                                                        Issue   Rating\n FEMA\xc2\xad     During the FY 2009 audit, we were informed that            Complete planned corrective actions to developX                             3\nIT-09-48   internal vulnerability scans are conducted every month     and implement an SOP that outlines the process\n           on the NEMIS systems. However, FEMA personnel              for formally reporting and tracking resolution of\n           informed us that identified vulnerabilities and related    weaknesses identified during internal NEMIS\n           corrective actions are reported and tracked via emails     vulnerability scans in accordance with DHS\n           and not documented in Plan of Action and Milestones        guidance.\n           (POA&M).\n\n FEMA\xc2\xad     During FY 2009 follow-up testwork, we obtained             \xef\xbf\xbd                                              X\n                                                                           Revise and implement policies and procedures                             3\nIT-09-50   evidence that \xe2\x80\x9csuperuser\xe2\x80\x9d activity reports for Core             that document requirements for configuring,\n           IFMIS were appropriately reviewed by FSS personnel              retaining, and reviewing audit trails for the\n           in accordance with FEMA and DHS policy.                         Core IFMIS application and database, in\n           Consequently, this portion of our recommendation for            accordance with DHS policy. Additionally,\n           prior year NFR FEMA-IT-08-50 is closed.                         ensure that all DHS requirements are met\n           However, FSS personnel informed us that failed                  through this process, including appropriate\n           database login attempts and activity performed by               supervisory review and retention.\n           application users with the \xe2\x80\x9csuperuser\xe2\x80\x9d role remain the     \xef\xbf\xbd    Implement configurations on the Core IFMIS\n           only forms of activity logged and monitored for Core            application and database in accordance with\n           IFMIS. Other activity on the application and database           DHS policy to ensure that audit logs\n           required to be logged by DHS policy, including                  sufficiently record required auditable events\n           successful logins, access modifications, and changes            and activities.\n           to user profile, are not enabled within Core IFMIS.\n           Additionally, we noted that a procedure does not exist\n           to establish the process for reviewing and retaining\n           evidence of these logs once the configurations are\n           implemented.\n           FEMA reported in the FY 2008 audit remediation plan\n           that internal instructions describing the review process\n           for these two reports were documented. We reviewed\n           the SOP, Monitoring of IFMIS Database Audit Logs,\n           and determined it addresses the process for reviewing\n\n\n                                                                          32\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                      Appendix B\n\n                                                 Department of Homeland Security\n \n\n                                             Federal Emergency Management Agency \n\n                                             Information Technology Management Letter \n\n                                                        September 30, 2009\n\n                                                                                                                                      Repeat    Risk\nNFR #                           Condition                                           Recommendation                        New Issue\n                                                                                                                                       Issue   Rating\n           the daily Oracle failed login report. However,\n           documented instructions concerning the review of\n           weekly \xe2\x80\x9csuperuser\xe2\x80\x9d reports were not provided to us\n           during the audit.\n FEMA\xc2\xad     During our FY 2009 integrated test work, IT                                                             X                               3\n                                                                    \xe2\x80\xa2    Revise and enforce the SOP for Handling of\nIT-09-51   Enterprise Operations personnel informed us that the\n                                                                         Oracle Audit Logs to ensure that the\n           SOP for Handling of Oracle Audit Logs was\n                                                                         procedures are developed and implemented in\n           implemented for the databases specified in the SOP\n                                                                         accordance with DHS guidance, to include:\n           and that evidence of audit log reviews are retained.\n           However, we noted that weaknesses in NEMIS                    \xef\xbf\xbd   All databases within the defined system\n           database audit controls still exist, as follows:                  boundaries that support NEMIS financial\n           \xe2\x80\xa2   During our inspection of the SOP, we noted that it            applications and modules within the scope\n               requires the procedures to be performed for two               of the SOP,\n               specific NEMIS databases, the National                    \xef\xbf\xbd   Requirements for audit logging and\n               Processing Service Center (NPSC) database and                 retention of audit trails,\n               the Consolidated Master database. However,                \xef\xbf\xbd   Periodic reviews of audit trails for NEMIS\n               through additional testwork, we noted that                    databases, and\n               NEMIS has at least 23 databases. Consequently,            \xef\xbf\xbd   Appropriate segregation of duties\n               not all of the databases that comprise NEMIS are              principles.\n               included within the scope of the SOP, and we\n               were informed by IT Enterprise Operations            \xef\xbf\xbd    Implement      configurations    on     NEMIS\n               personnel that no additional SOPs exist that              databases in accordance with DHS policy over\n               address auditing logging for the remaining 21             required auditable events and activities.\n               databases.\n           \xe2\x80\xa2   The SOP has not been updated to require that\n               successful logins, access modifications, highly\n               privileged user account activity, and changes to\n               user profiles are logged and reviewed.\n           \xe2\x80\xa2   On four of the NEMIS databases related to\n               financial processing that we selected for testing,\n\n\n                                                                        33\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                        Appendix B\n\n                                                   Department of Homeland Security\n \n\n                                               Federal Emergency Management Agency \n\n                                               Information Technology Management Letter \n\n                                                          September 30, 2009\n\n                                                                                                                                        Repeat    Risk\nNFR #                            Condition                                            Recommendation                        New Issue\n                                                                                                                                         Issue   Rating\n               we determined that configurations are not fully\n               enabled so that a review of audit trails and activity\n               defined by DHS policy requirements can be\n               completed.\n           \xe2\x80\xa2   Based on our review of audit log documentation,\n               we noted that reviews of audit logs for NEMIS\n               databases are performed by the database\n               administrators (DBAs) who have been assigned\n               administrator privileges to administer the\n               databases. Thus, we determined that database\n               audit log review duties are not appropriately\n               segregated from DBA duties.\n\n FEMA\xc2\xad     In FY 2009, we performed follow-up testwork and             Dedicate the appropriate resources to complete X                              3\nIT-09-52   were informed that FEMA is currently in the process         efforts to document, finalize, and implement\n           of updating the NEMIS patch management policy and           comprehensive patch management policies and\n           that the finalized policy had not been implemented.         procedures for NEMIS, in accordance with DHS\n           However, FEMA could not provide us with a copy of           policy. Additionally, ensure that these procedures\n           the requested draft policy that was reported as under       include requirements for responding to DHS\n           development for our review. Based on additional             Security Operations Center (SOC) and DHS\n           inquiry, we also determined that the timeframe for          Computer Security Incident Response Center\n           implementing patches on FEMA systems has not been           (CSIRC) notifications to ensure compliance with\n           established, in accordance with DHS guidance.               the timely implementation of required patches.\n\n\n\n\n                                                                         34\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                      Appendix B\n\n                                                   Department of Homeland Security\n \n\n                                               Federal Emergency Management Agency \n\n                                               Information Technology Management Letter \n\n                                                          September 30, 2009\n\n                                                                                                                                      Repeat    Risk\nNFR #                            Condition                                            Recommendation                      New Issue\n                                                                                                                                       Issue   Rating\n FEMA\xc2\xad     During our FY 2009 audit, we reviewed FEMA\xe2\x80\x99s                Ensure that NEMIS SSP is updated in accordance\n                                                                                                                    X                            2\nIT-09-53   Remediation Plan, and we noted that FEMA                    with DHS policy so that the system\xe2\x80\x99s boundaries,\n           management had reported that corrective action to           components, and responsibilities surrounding the\n           update the NEMIS SSP had been fully implemented.            various subsystems and major applications of\n           We obtained the NEMIS SSP dated February 16, 2009           NEMIS are accurately and comprehensively\n           for our review and noted that the plan had been             documented in the plan.\n           revised since our prior year audit. However, upon\n           further inspection, we determined that the current plan\n           does not fully document the system\xe2\x80\x99s boundaries,\n           define all of the NEMIS subsystems and major\n           applications, nor establish security responsibilities for\n           the various system components.\n\n FEMA\xc2\xad     In FY 2009, we performed testwork over Traverse             Ensure the implementation of an updated version\n                                                                                                                    X                              2\nIT-09-54   configuration management. Upon inspection of the            of the current Traverse configuration management\n           System Change Control Procedures, that address              procedures that comprehensively addresses FEMA\n           Traverse configuration management, we noted that the        and DHS requirements.\n           procedures outline steps for controlling changes\n           during the change control process for Traverse.\n           However, the procedures do not include\n           comprehensive configuration management guidance\n           that addresses the following elements required by\n           FEMA and DHS policy:\n           \xef\xbf\xbd   configuration identification\n           \xef\xbf\xbd   configuration control\n           \xef\xbf\xbd   version control\n           \xef\xbf\xbd   configuration status accounting\n           \xef\xbf\xbd   configuration audits\n           \xef\xbf\xbd   establishment of a Change Control Board (CCB)\n               or TRC for evaluating changes prior to\n\n\n\n\n                                                                         35\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                       Appendix B\n\n                                                  Department of Homeland Security\n \n\n                                              Federal Emergency Management Agency \n\n                                              Information Technology Management Letter \n\n                                                         September 30, 2009\n\n                                                                                                                                       Repeat    Risk\nNFR #                            Condition                                           Recommendation                        New Issue\n                                                                                                                                        Issue   Rating\n               production.\n FEMA\xc2\xad     Based on observations conducted with FSS and G&T          \xef\xbf\xbd    Revise the formal process for reviewing and         X                     3\nIT-09-56   IFMIS database personnel, we identified the following          disabling inactive G&T IFMIS Oracle\n           weaknesses in database security controls:                      database user accounts to adhere to DHS\n                                                                          policy over disabling inactive accounts on\n           \xef\xbf\xbd   A manual review of inactive G&T IFMIS\n                                                                          high impact systems.\n               database accounts is performed on a monthly\n               basis to disable accounts which have not been         \xef\xbf\xbd    Configure all G&T IFMIS Oracle database\n               used in the past 90 days. However, since IFMIS             user accounts to adhere to DHS policy for\n               is categorized as a high impact system, reviews            passwords and authenticator controls.\n               are required to identify accounts that have been\n               inactive for 45 days.                                 \xef\xbf\xbd    Establish a formal process for granting\n           \xef\xbf\xbd   Strong passwords are not required and/or enforced          emergency and temporary IFMIS G&T\n               for G&T IFMIS database accounts.                           database access that includes segregation of\n                                                                          duties considerations and appropriate approval\n           \xef\xbf\xbd   Emergency and temporary access to the G&T\n                                                                          from FEMA management in accordance with\n               IFMIS database, including access for contractor\n                                                                          DHS policy.\n               development personnel, is approved by the FSS\n               Chief and/or their staff, not by the FEMA\n               CISO/Information System Security Manager\n               (ISSM) or a designee, as required by DHS policy.\n\n FEMA\xc2\xad     Based on observations conducted with FSS and G&T          \xef\xbf\xbd    Configure the G&T IFMIS databases to log                                  3\nIT-09-57   IFMIS database personnel, we determined that Oracle            events and retain audit records in accordance\n           database audit trails are not configured to capture any        with DHS policy; and\n           activity, including failed login attempts or\n           administrator-level actions.                              \xef\xbf\xbd    Develop and implement policies and\n                                                                          procedures surrounding the requirements for\n                                                                          G&T IFMIS database audit logging to include\n                                                                          the periodic review of database audit logs in\n                                                                          accordance with DHS policy.\n\n\n\n\n                                                                         36\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                      Appendix B\n\n                                                 Department of Homeland Security\n \n\n                                             Federal Emergency Management Agency \n\n                                             Information Technology Management Letter \n\n                                                        September 30, 2009\n\n                                                                                                                                      Repeat    Risk\nNFR #                           Condition                                           Recommendation                        New Issue\n                                                                                                                                       Issue   Rating\n FEMA\xc2\xad     Based on corroborative inquiry with FSS and              \xef\xbf\xbd    Establish a formalized process for the              X                   3\nIT-09-58   application and database administrators, we concluded         recertification of the G&T IFMIS application\n           that a management review to validate the                      and database accounts or include G&T IFMIS\n           appropriateness of G&T application and Oracle                 in the scope of the formalized processes for\n           database user accounts has not been formally                  the recertification of Core IFMIS application\n           implemented or performed by FSS this fiscal year.             and database accounts. Additionally, ensure\n           Additionally, FSS management further informed us              that the established processes are developed\n           that no recertification of accounts was conducted when        and implemented in accordance with DHS\n           the application was acquired and brought online at            guidance.\n           FEMA in FY 2007 and has not been conducted since.\n                                                                    \xef\xbf\xbd    Conduct an immediate recertification of user\n                                                                         account access on the G&T IFMIS application\n                                                                         and Oracle database to validate the continued\n                                                                         appropriateness    of   access    as    being\n                                                                         commensurate with job responsibilities.\n FEMA\xc2\xad     In FY 2009, we performed test work over the G&T          \xef\xbf\xbd    Limit the contracted developers\xe2\x80\x99 access to the      X                     3\nIT-09-59   \xe2\x80\x9cifmiscm\xe2\x80\x9d account to determine the controls in place          G&T IFMIS production environment to \xe2\x80\x9cread\n           for the migration of changes into production. The             only,\xe2\x80\x9d and segregate the responsibility for\n           \xe2\x80\x9cifmiscm\xe2\x80\x9d account is used by the FEMA development             deploying application code changes into\n           contractor to deploy changes into the UNIX                    production from the contractor to an\n           production environment. Per our review, we noted              independent control group.\n           that the G&T IFMIS application programmers\n           responsible for maintaining and developing changes       \xef\xbf\xbd    If business need requires that the segregation\n           for the G&T IFMIS application are also responsible            of duties cannot be immediately implemented,\n           for migrating application code changes into the               document policies and procedures to mitigate\n           production environment using the \xe2\x80\x9cifmiscm\xe2\x80\x9d account.           the risk associated with the segregation of\n           Additionally, when we inspected the account, the              duties weakness noted in accordance with\n           G&T \xe2\x80\x9cifmiscm\xe2\x80\x9d account was not locked on May 15,               DHS guidance.\n           2009, which allowed the contractor unrestricted access\n           to the production environment. We were further\n           informed by FEMA personnel that access to that\n\n\n\n                                                                        37\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                  Appendix B\n\n                                                Department of Homeland Security\n \n\n                                            Federal Emergency Management Agency \n\n                                            Information Technology Management Letter \n\n                                                       September 30, 2009\n\n                                                                                                                                  Repeat    Risk\nNFR #                          Condition                                         Recommendation                       New Issue\n                                                                                                                                   Issue   Rating\n           account is not limited or monitored on a periodic\n           basis.\n\n\n\n FEMA\xc2\xad     During our testwork, we concluded that the \xe2\x80\x9cLegacy     Immediately work with FEMA\xe2\x80\x99s CISO to                   X                     2\nIT-09-60   NFIP IT System\xe2\x80\x9d C&A pertaining to the Traverse         complete the recertification and accreditation of\n           application, TRRP application, and NFIP Local Area     the NFIP legacy system in accordance with\n           Network (LAN) expired on October 4, 2008.              applicable DHS policies and Federal guidance.\n           Consequently, the legacy system has since been\n           operating without a current Authorization to Operate\n           (ATO). Furthermore, we were not provided the\n           requested NFIP C&A package consisting of the\n           following artifacts:\n           \xef\xbf\xbd   Federal Information Processing Standard (FIPS)\n               199 Categorization\n           \xef\xbf\xbd   Privacy Impact Assessment\n           \xef\xbf\xbd   E-Authentication\n           \xef\xbf\xbd   Risk Assessment\n           \xef\xbf\xbd   SSP\n           \xef\xbf\xbd   Contingency Plan\n           \xef\xbf\xbd   Security Test and Evaluation\n           \xef\xbf\xbd   Contingency Plan Testing\n           \xef\xbf\xbd   Security Assessment Report\n           \xef\xbf\xbd   ATO\n           \xef\xbf\xbd   Annual NIST SP 800-53-based Self-Assessments\n\n FEMA\xc2\xad     The G&T instance of IFMIS was brought online at        \xef\xbf\xbd    Formally designate an ISSO and DAA for            X                     3\nIT-09-61   FEMA in FY 2007 after acquisition from the                  G&T IFMIS.\n           Department of Justice. However, we determined that\n           a C&A of the system had not been performed, and the    \xef\xbf\xbd    Immediately work with FEMA\xe2\x80\x99s Information\n\n\n\n                                                                      38\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                       Appendix B\n\n                                                  Department of Homeland Security\n \n\n                                              Federal Emergency Management Agency \n\n                                              Information Technology Management Letter \n\n                                                         September 30, 2009\n\n                                                                                                                                       Repeat    Risk\nNFR #                            Condition                                           Recommendation                        New Issue\n                                                                                                                                        Issue   Rating\n           system has not received an ATO. Specifically, the              Security Office to certify and accredit the\n           following C&A elements have not been completed,                G&T IFMIS instance in accordance with\n           documented, or approved for G&T IFMIS and will not             applicable DHS policies and Federal guidance.\n           be for the remainder of the fiscal year:                       If FEMA management makes a business\n                                                                          decision to conduct a C&A of IFMIS after the\n           \xef\xbf\xbd   FIPS 199 categorization                                    merger and not over the existing G&T IFMIS\n           \xef\xbf\xbd   Privacy Impact Assessment                                  instance, as a mitigating control, immediately\n           \xef\xbf\xbd   E-Authentication                                           conduct an assessment of key controls to\n           \xef\xbf\xbd   Risk Assessment                                            identify security weaknesses and determine\n           \xef\xbf\xbd   SSP                                                        the operational risks related to IFMIS G&T.\n           \xef\xbf\xbd   Contingency Plan                                           The weaknesses identified should be\n                                                                          documented with plans for accelerated\n           \xef\xbf\xbd   Security Test and Evaluation                               remediation efforts or related risks should be\n           \xef\xbf\xbd   Contingency Plan Testing                                   formally accepted by FEMA in accordance\n           \xef\xbf\xbd   Security Assessment Report                                 with DHS guidance.\n           \xef\xbf\xbd   ATO\n           \xef\xbf\xbd   Annual NIST SP 800-53-based Self-Assessments\n           In addition, we determined that at the time of our test\n           procedures, neither an ISSO nor a Designated\n           Authorizing Authority (DAA) had been formally\n           designated for the G&T instance of IFMIS by FEMA\n           management.\n\n FEMA\xc2\xad     We reviewed the VPN Rules of Behavior for Users           \xef\xbf\xbd    Revise and implement policies and procedures        X                     3\nIT-09-62   Behind Corporate Firewalls, dated December 5, 2002,            for documenting, reviewing, and approving\n           and noted that individual VPN access request forms             individual VPN user accounts for employees\n           are required to be completed, approved by managers,            of external entities requiring access to the\n           and submitted to the National Help Desk, Enterprise            FEMA network via VPN access, and ensure\n           Service Desk (ESD). However, we noted that the                 that sufficient resources are dedicated to\n           requirements do not include approval by the system             appropriately authorize accounts on behalf of\n           owner or a designated representative, as required by           the system owner or a designee, according to\n\n\n\n                                                                         39\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                 Appendix B\n\n                                             Department of Homeland Security\n \n\n                                         Federal Emergency Management Agency \n\n                                         Information Technology Management Letter \n\n                                                    September 30, 2009\n\n                                                                                                                                 Repeat    Risk\nNFR #                        Condition                                          Recommendation                       New Issue\n                                                                                                                                  Issue   Rating\n        DHS policy.                                                  FEMA and DHS policy.\n        We reviewed a blank VPN Access Request Form and         \xef\xbf\xbd    Develop and implement policies and\n        noted that an approval block titled \xe2\x80\x9cFor FEMA Office         procedures in accordance with DHS policy to\n        of Cyber Security (OCS) Use Only\xe2\x80\x9d is included and            perform a periodic recertification of all VPN\n        that the form states that all VPN requests must be           user access and retain auditable records as\n        approved by the FEMA OCS. We reviewed a                      evidence that recertifications are conducted\n        selection of 25 completed forms for active VPN user          and completed periodically.\n        accounts and determined that, while the forms were\n        approved by the requestor\xe2\x80\x99s manager or supervisor,\n        none of the forms had an approval noted by OCS or an\n        appropriate designated representative of the system\n        owner. Additionally, we were informed by FEMA IT\n        security personnel that OCS, as referred to in the\n        Rules of Behavior and the request form, does not\n        currently exist as a FEMA Division due to FEMA\xe2\x80\x99s\n        reorganization. Consequently, existing policies and\n        procedures do not reflect the current security\n        management structure at FEMA nor do they assign\n        responsibility to a current entity within the agency.\n        Additionally, we were informed that a periodic\n        recertification of FEMA VPN access accounts is not\n        currently performed to ensure that remote access is\n        still necessary and appropriate for each individual.\n        VPN accounts are managed within the FEMA LAN,\n        specifically the Active Directory environment, and\n        subsequently added to the Cisco Access Control\n        Server (ACS) that permits VPN access. However,\n        through test work conducted over the FEMA LAN, we\n        determined that a recertification of network user\n        accounts is not performed.\n\n\n\n\n                                                                    40\n        Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                         Appendix B\n\n                                                  Department of Homeland Security\n \n\n                                              Federal Emergency Management Agency \n\n                                              Information Technology Management Letter \n\n                                                         September 30, 2009\n\n                                                                                                                                         Repeat    Risk\nNFR #                           Condition                                             Recommendation                         New Issue\n                                                                                                                                          Issue   Rating\n FEMA\xc2\xad     We noted the following weaknesses in the process for      \xef\xbf\xbd    Revise and implement policies and procedures          X                   3\nIT-09-63   authorizing remote VPN access to external                      for documenting, reviewing, and approving\n           organizations, including state emergency management            the security controls in place over non-DHS\n           agencies and FEMA contractors:                                 equipment connecting to the FEMA network\n                                                                          via VPN access. Specifically, FEMA should\n           \xef\xbf\xbd   The existing documentation that defines the\n                                                                          clearly define and document a formalized\n               process for granting and maintaining VPN access\n                                                                          process for the authorization, review, and\n               to the FEMA network does not include\n                                                                          maintenance of VPN access agreements\n               requirements for administering the site survey\n                                                                          between FEMA and external entities.\n               process, including requirements for the\n                                                                          Additionally, ensure that within the policies\n               authorization of the sites surveys, recertification\n                                                                          and procedures, appropriate roles and\n               of site surveys, and the security requirements\n                                                                          responsibilities over the process are defined to\n               associated with the various aspects of the process.\n                                                                          include authorizations by the Component\n           \xef\xbf\xbd   FEMA has not formally identified and                       CISO/ISSM to connect to non-DHS\n               documented the roles and responsibilities                  equipment.\n               necessary within FEMA to properly authorize and\n               administer VPN access to individuals using non-       \xef\xbf\xbd    Draft and formalize ISAs, MOUs, and MOAs\n               DHS equipment to access the FEMA network.                  delineating security responsibilities by FEMA\n                                                                          and external organizations when connecting\n           Additionally, we noted that the current process in\n                                                                          through non-DHS equipment to the FEMA\n           place for granting remote access to the FEMA network\n                                                                          network via VPN access. Such agreements\n           through VPN is not in compliance with FEMA, DHS,\n                                                                          should include evidence of validation by\n           and NIST guidance. Specifically, we noted the\n                                                                          FEMA management that security controls in\n           following weaknesses:\n                                                                          place on external entity networks are\n           \xef\xbf\xbd   Access for state emergency management agencies             appropriate and satisfy requirements for\n               and FEMA contractors to load the VPN client                minimum security controls on DHS and\n               onto state or contractor owned equipment to                FEMA systems prior to connection.\n               connect to the FEMA LAN is approved by the\n                                                                     \xef\xbf\xbd    Ensure that agreements related to VPN access\n               SOC. However, DHS policy requires that any\n                                                                          are reviewed and recertified on a periodic\n               non-DHS equipment connecting to a DHS\n                                                                          basis, specifically, when a major system\n               network must be authorized by the Component\n                                                                          change occurs or every three years, in\n               CISO/ISSM.\n\n\n                                                                         41\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                 Appendix B\n\n                                              Department of Homeland Security\n \n\n                                          Federal Emergency Management Agency \n\n                                          Information Technology Management Letter \n\n                                                     September 30, 2009\n\n                                                                                                                                 Repeat    Risk\nNFR #                        Condition                                           Recommendation                      New Issue\n                                                                                                                                  Issue   Rating\n        \xef\xbf\xbd   Two-factor authentication is not used for VPN             accordance with DHS policy.\n            access, as required by DHS policy.\n                                                                 \xef\xbf\xbd    Implement      and     require    two-factor\n        \xef\xbf\xbd   FEMA\xe2\x80\x99s VPN Rules of Behavior for Users Behind             authentication for all remote access to the\n            Corporate Firewalls, dated December 5, 2002,              FEMA network, including VPN and all other\n            requires an Inter-Agency VPN Agreement                    tools used for remote access, in accordance\n            between FEMA and external organizations before            with DHS policy and FIPS 140-2.\n            permitting VPN access to the FEMA network\n            through non-Government issued equipment such\n            as contractor or state agency workstations.\n            However, we determined that the Inter-Agency\n            VPN Agreements have not been documented and\n            that this requirement is inconsistent with DHS\n            policy, which requires ISAs or Memoranda of\n            Understanding/Memoranda          of    Agreement\n            (MOUs/MOAs) prior to establishing a VPN\n            connection from equipment operating on an\n            external network.\n        \xef\xbf\xbd   FEMA\xe2\x80\x99s approval of requests for network\n            connections to external organizations through\n            VPN access for remote users is based on security\n            control information submitted by the external\n            entities via site surveys. Based upon our review\n            of existing site surveys and the site survey\n            process, we noted that site surveys were outdated,\n            did not contain the level of technical granularity\n            describing the external network security controls\n            required to appropriately approve a connection to\n            the FEMA LAN, and were not independently\n            verified for accuracy by FEMA. Additionally, we\n            determined that DHS guidance indicates that a\n            single ISA may be used for multiple connections\n\n\n\n                                                                     42\n        Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                       Appendix B\n\n                                                  Department of Homeland Security\n \n\n                                              Federal Emergency Management Agency \n\n                                              Information Technology Management Letter \n\n                                                         September 30, 2009\n\n                                                                                                                                       Repeat    Risk\nNFR #                            Condition                                            Recommendation                       New Issue\n                                                                                                                                        Issue   Rating\n               provided that the security accreditation is the same\n               for all connections covered by that ISA.\n               However, we determined that the security\n               accreditation of multiple connecting networks\n               listed in single ISAs with external entities is not\n               being evaluated by the FEMA SOC to ensure the\n               security     requirements      are     appropriately\n               implemented.\n\n FEMA\xc2\xad     The Core IFMIS database is not configured to retain a      \xef\xbf\xbd    Configure the Core IFMIS Oracle database to        X                     2\nIT-09-64   history of account passwords in order to prevent reuse.         enforce DHS policy requirements regarding\n           However, DHS guidance requires passwords to be                  the reuse of user passwords.\n           configured so that users cannot reuse the last eight\n           passwords.                                                 \xef\xbf\xbd    Develop and implement procedures to ensure\n                                                                           that those with systems administration and\n                                                                           security responsibilities over the Core IFMIS\n                                                                           database environment are made aware of\n                                                                           DHS, FEMA and Federal system security\n                                                                           requirements and guidance and are properly\n                                                                           trained in those requirements and guidance.\n\n\n\n\n                                                                          43\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                      Appendix B\n\n                                                  Department of Homeland Security\n \n\n                                              Federal Emergency Management Agency \n\n                                              Information Technology Management Letter \n\n                                                         September 30, 2009\n\n                                                                                                                                      Repeat    Risk\nNFR #                            Condition                                           Recommendation                       New Issue\n                                                                                                                                       Issue   Rating\n FEMA\xc2\xad     We determined that of 40 access request forms (Form       Review and revise the Office of the Chief               X                   3\nIT-09-65   20-24) for active G&T IFMIS application users             Financial Officer\xe2\x80\x99s existing Procedures for\n           selected:                                                 Granting Access to IFMIS to specifically require\n                                                                     the authorization of new and modified G&T\n           \xef\xbf\xbd   FEMA was unable to provide documented                 IFMIS user accounts by supervisors, program\n               evidence that the initial account creation of 11      managers, and/or contracting officers\xe2\x80\x99 technical\n               accounts in FY2009 were authorized; and               representatives for the G&T IFMIS application\n           \xef\xbf\xbd   FEMA was unable to provide documented                 and database in accordance with DHS guidance.\n               evidence that modifications to account privileges     The requirements should also include retention\n               for 11 accounts were authorized.                      guidance for G&T IFMIS access authorization\n           Additionally, we requested for review a selection of      documentation.\n           eight G&T IFMIS Oracle Database User Access\n           Control Forms for G&T IFMIS Oracle database users\n           whose accounts were created during the fiscal year.\n           We determined that of the eight users selected, two did\n           not have documented evidence that the accounts were\n           authorized or appropriately approved prior to creation.\n FEMA\xc2\xad     Based on observations conducted with IT Enterprise        \xef\xbf\xbd    Configure all NEMIS Oracle databases to            X                     3\nIT-09-66   Operations database personnel over the four databases          enforce the DHS policy for passwords and\n           selected for test work that process NEMIS financial            authenticator control requirements, including\n           data, we determined that DBA account passwords are             expiration, reuse, and length and complexity.\n           not required to be \xe2\x80\x9cstrong passwords.\xe2\x80\x9d Specifically:\n                                                                     \xef\xbf\xbd    Develop and implement procedures to ensure\n           \xef\xbf\xbd   No minimum password length is enforced.                    that those with systems administration and\n           \xef\xbf\xbd   Password complexity is not required so that                security responsibilities over the NEMIS\n               passwords     include    a     combination     of          database environment are made aware of\n               upper/lowercase letters, numbers, and special              DHS, FEMA and Federal requirements and\n               characters.                                                guidance and are properly trained in those\n           \xef\xbf\xbd   Reuse of previous passwords is not prohibited.             requirements and guidance.\n           \xef\xbf\xbd   Passwords are not configured to expire and forced\n               to be changed after a predetermined length of\n\n\n                                                                         44\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                      Appendix B\n\n                                                  Department of Homeland Security\n \n\n                                              Federal Emergency Management Agency \n\n                                              Information Technology Management Letter \n\n                                                         September 30, 2009\n\n                                                                                                                                      Repeat    Risk\nNFR #                            Condition                                          Recommendation                        New Issue\n                                                                                                                                       Issue   Rating\n               time.\n\n\n\n FEMA\xc2\xad     Based on observations conducted over the FEMA             Implement the plan to configure the FEMA LAN            X                     2\nIT-09-67   domain policy and an end-user workstation, we             domain security policy to automatically activate a\n           determined that workstations are configured to            password-protected screensaver on end-user\n           activate a password-protected screensaver after 15        workstations after five minutes of inactivity,\n           minutes of inactivity, rather than the five minute        consistent with DHS policy.\n           inactivity threshold required by DHS policy.\n\n FEMA\xc2\xad     We determined that a C&A of the Payment and               \xef\xbf\xbd    Formally designate an ISSO and DAA for             X                     3\nIT-09-68   Reporting System (PARS) was not performed and the              PARS.\n           system had not received an ATO. Specifically, no\n           evidence exists to support that the required C&A          \xef\xbf\xbd    Immediately work with FEMA\xe2\x80\x99s Chief\n           elements have been completed, documented, or                   Information Security Office to certify and\n           approved for PARS.                                             accredit PARS in accordance with applicable\n                                                                          DHS policies and Federal guidance.\n           In addition, we determined that at the time of our test\n           procedures, neither an ISSO nor a DAA had been\n           formally designated by FEMA management for PARS.\n FEMA\xc2\xad     Upon inspection of the NFIP Technical Services            Ensure implementation of an updated version of          X                     2\nIT-09-69   Department Production Systems Control Unit                the current TRRP configuration management\n           Procedures, that addresses TRRP configuration             procedures that comprehensively addresses FEMA\n           management, we noted that the procedures outline          and DHS requirements. The updated procedures\n           steps for controlling changes during the change control   should require initial approvals of OSRs and\n           process for TRRP. However, the procedures do not          establish a process for obtaining CCB and TRC\n           include a comprehensive configuration management          approvals prior to implementing changes into\n           guidance that addresses the required elements for a       production, in accordance with DHS policies and\n           comprehensive configuration management plan in            procedures.\n           accordance with FEMA and DHS policy.\n           Furthermore, we performed testwork over initial\n\n\n                                                                         45\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                       Appendix B\n\n                                                   Department of Homeland Security\n \n\n                                               Federal Emergency Management Agency \n\n                                               Information Technology Management Letter \n\n                                                          September 30, 2009\n\n                                                                                                                                       Repeat    Risk\nNFR #                            Condition                                            Recommendation                       New Issue\n                                                                                                                                        Issue   Rating\n           approval, testing, and implementation of a selection\n           of 25 TRRP changes made in FY 2009 and noted the\n           following exceptions:\n           \xef\xbf\xbd   16 out of the 25 changes did not obtain initial\n               Operating System Request (OSR) approvals prior\n               to developing the change.\n           \xef\xbf\xbd   All 25 changes did not obtain TRC or CCB\n               approval for production implementation.\n\n FEMA\xc2\xad     We were informed by the NFIP contractors that no            Document, finalize, and implement comprehensive        X                     2\nIT-09-70   patch management policy and procedures exist for the        patch management policies and procedures for the\n           Windows operating system which supports the                 NFIP LAN and the Traverse operating system, in\n           Traverse application and the NFIP LAN.                      accordance with DHS policy. Additionally, ensure\n                                                                       that this procedure includes requirements for\n           Additionally, we determined that while NFIP has\n                                                                       authorizing, testing, and approving patches to be\n           documented the Traverse System Software Procedures\n                                                                       implemented into production and responding to\n           which outline the process to initiate, approve, test, and\n                                                                       DHS SOC and DHS CSIRC notifications to ensure\n           implement operating system upgrades into production,\n                                                                       compliance with the timely implementation of\n           the procedures do not specifically address patch\n                                                                       required patches.\n           management. Furthermore, the procedures do not\n           provide robust guidance for approving, installing, and\n           testing patches, according to DHS requirements.\n\n\n\n\n                                                                         46\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                            Appendix B\n\n                                                  Department of Homeland Security\n \n\n                                              Federal Emergency Management Agency \n\n                                              Information Technology Management Letter \n\n                                                         September 30, 2009\n\n                                                                                                                                            Repeat    Risk\nNFR #                            Condition                                             Recommendation                           New Issue\n                                                                                                                                             Issue   Rating\n FEMA\xc2\xad     During our after-hours physical testing, we identified     Review the effectiveness of existing security                X                   2\nIT-09-71   42 written unprotected passwords, 4 external memory        awareness programs designed to protect electronic\n           drives, 2 documents labeled as \xe2\x80\x98For Official Use Only      and physical data, and ensure that individuals are\n           (FOUO)\xe2\x80\x99, 2 badges, 2 instances of unsecured                adequately instructed and reminded of their roles\n           Personally Identifiable Information (PII), 1 instance of   in the protection of both electronic and physical\n           a written server name with an Internet Protocol (IP)       FEMA data and hardware. Additionally, FEMA\n           address, and 1 unsecured laptop.                           employees and contractors should be made aware\n                                                                      of the need to protect PII, as well as information\n                                                                      marked \xe2\x80\x9cFOUO.\xe2\x80\x9d\n\n FEMA\xc2\xad     Through discussions with FSS personnel, we                 \xef\xbf\xbd    Submit a revised DHS Waivers and                        X                     3\nIT-09-72   determined that the description of mitigating and               Exceptions Request Form that accurately\n           compensating controls noted in the approved DHS                 reflects the mitigating and compensating\n           Waivers and Exceptions Request for Core IFMIS does              controls in place on the Core IFMIS\n           not accurately reflect the operating environment for            environment to justify exception from DHS\n           the Core IFMIS application and database.                        policy concerning audit logging on the Core\n           Specifically:                                                   IFMIS database.\n           \xef\xbf\xbd   Successful database connections are not logged, as     \xef\xbf\xbd    Ensure that future waiver and exception\n               described.                                                  requests involve the input, review, and\n           \xef\xbf\xbd   Superuser activity is monitored at the application          approval of system owners and administrators\n               level. However, no other audit logs or records              to provide adequate assurance that the\n               described in the request are reviewed.                      documented      risk    mitigation      strategies\n           \xef\xbf\xbd   The exception request states that \xe2\x80\x9cdirect access to         accurately reflect security controls in place.\n               the IFMIS database is restricted to approximately\n                                                                      \xef\xbf\xbd    Ensure that FEMA establishes a more formal\n               70 users, and is read-only in nature for the\n                                                                           communication     process     for  providing\n               purposes of running ClearAccess report\n                                                                           approved waivers back to system owners so\n               functions;\xe2\x80\x9d however, direct access to the database\n                                                                           that any requirements for the implementation\n               includes DBAs with read/write privileges in\n                                                                           of additional controls are reviewed and\n               addition to ClearAccess read-only users.\n                                                                           executed appropriately and timely.\n           \xef\xbf\xbd   Approval was granted by the DHS CISO with an\n               added condition that FEMA periodically capture\n\n\n                                                                          47\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                          Appendix B\n\n                                                Department of Homeland Security\n \n\n                                            Federal Emergency Management Agency \n\n                                            Information Technology Management Letter \n\n                                                       September 30, 2009\n\n                                                                                                          Repeat    Risk\nNFR #                         Condition                                  Recommendation      New Issue\n                                                                                                           Issue   Rating\n            the audit records at a database level and compare\n            them to the application logs to ensure that data is\n            correct at the application level. However, the\n            requirement had not been implemented at the time\n            of our FY 2009 audit procedures.\n        Consequently, we concluded that the request for an\n        exception to DHS policy requirements related to audit\n        logging for the Core IFMIS Oracle database was\n        approved by the DHS CISO based on inconsistent or\n        inaccurate information about the system environment\n        and current controls in place to mitigate the risk of not\n        implementing DHS policy. Additionally, the DHS\n        CISO\xe2\x80\x99s condition for granting approval has not been\n        met by FEMA.\n\n\n\n\n                                                                    48\n        Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                        Appendix B\n\n                                                  Department of Homeland Security\n \n\n                                              Federal Emergency Management Agency \n\n                                              Information Technology Management Letter \n\n                                                         September 30, 2009\n\n                                                                                                                                        Repeat    Risk\nNFR #                            Condition                                            Recommendation                        New Issue\n                                                                                                                                         Issue   Rating\n FEMA\xc2\xad     Based on observations conducted with FEMA IT              \xef\xbf\xbd    Develop and implement policies and                   X                   3\nIT-09-73   security personnel and IFMIS UNIX system                       procedures over the monitoring of system\n           administrators, we determined that the \xe2\x80\x9croot\xe2\x80\x9d account          administrator and highly-privileged account\n           access is not properly restricted and system                   activity in the Core and G&T IFMIS UNIX\n           administrator activities are not appropriately logged.         environments, in accordance with FEMA and\n           Specifically, the password to access the UNIX \xe2\x80\x9croot\xe2\x80\x9d           DHS policy.\n           administrator account is shared between the\n           administrators and local access to the root account is    \xef\xbf\xbd    Implement technical controls to restrict access\n           not locked down. Additionally, FEMA has not                    to the \xe2\x80\x9croot\xe2\x80\x9d account through the use of\n           enforced the use of the switch user command, \xe2\x80\x9csudo,\xe2\x80\x9d           \xe2\x80\x9csudo\xe2\x80\x9d to ensure that explicitly authorized\n           which requires system administrators to login with             individuals only have access to the account.\n           their userID and switch over to the root account to\n                                                                     \xef\xbf\xbd    Ensure that system logs and records of\n           ensure who is accessing the account is logged and\n                                                                          administrator activity, including \xe2\x80\x9csudo\xe2\x80\x9d\n           authorized.\n                                                                          activity related to the \xe2\x80\x9croot\xe2\x80\x9d account, are\n           Additionally, we determined that system logs and               retained and reviewed by IT security\n           reports of administrator activity, including the \xe2\x80\x9csudo\xe2\x80\x9d        management independent of the system\n           log, which monitors actions performed by                       administration team.\n           administrators while acting as the \xe2\x80\x9croot\xe2\x80\x9d account, were\n           not reviewed by FEMA management personnel\n           independent of the system administration staff.\n FEMA\xc2\xad     FEMA\'s systems inventory does not include all             Update the FEMA system inventory to include the           X                     3\nIT-09-74   financial systems. Specifically, G&T IFMIS and            G&T instance of IFMIS, as well as PARS.\n           PARS were not included in the inventory provided to       Comply with DHS policy and consistently follow\n           us during the audit by FEMA, and neither system is        procedures for updating and monitoring the\n           being tracked via the Trusted Agent Federal               FISMA system inventory to ensure that all new\n           Information Security Management Act.                      and current systems are accounted for with\n                                                                     complete and accurate information, in accordance\n                                                                     with NIST and DHS policy.\n\n\n\n\n                                                                         49\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                        Appendix B\n\n                                                  Department of Homeland Security\n \n\n                                              Federal Emergency Management Agency \n\n                                              Information Technology Management Letter \n\n                                                         September 30, 2009\n\n                                                                                                                                        Repeat    Risk\nNFR #                            Condition                                           Recommendation                         New Issue\n                                                                                                                                         Issue   Rating\n FEMA\xc2\xad     During the audit, we determined that review of access     Document defined and repeatable procedures for            X                   1\nIT-09-75   to the NFIP data center is performed on an ad-hoc         the review of physical access to the NFIP data\n           basis. However, there are no policies or procedures       center in accordance with DHS and NIST\n           that require periodic and documented recertification of   guidance.     These procedures should, at a\n           data center access at a defined frequency.                minimum, define the frequency of this review and\n                                                                     what documentation should be maintained as\n                                                                     evidence of that review.\n FEMA\xc2\xad     Based on testwork performed and inquiries conducted       Establish a formal process for granting emergency         X                     3\nIT-09-76   with FSS and Core IFMIS database personnel, we            and temporary Core IFMIS database access that\n           determined that emergency and temporary access to         includes segregation of duties considerations and\n           the database, including access for contractor             appropriate approval from FEMA management in\n           development personnel, is approved by the FSS Chief       accordance with DHS policy.\n           and/or their staff, rather than by the FEMA\n           CISO/ISSM or a designee, as required by DHS policy.\n           Additionally, we determined that the Core IFMIS\n           Oracle database access granted to contracted\n           development personnel to implement database changes\n           to Core IFMIS conflicts with segregation of duties\n           principles.\n\n FEMA\xc2\xad     FEMA OCFO and NFIP financial systems                      Define and implement formal and repeatable                X                     2\nIT-09-77   development and acquisition projects were undertaken      processes to ensure that financial systems\n           and progressed without (1) proper oversight of and        development and acquisition projects are\n           direction to contractors, (2) development and approval    conducted in compliance with DHS systems\n           of required project documentation, (3) the continual      engineering life cycle (SELC) and acquisition\n           involvement of the Office of the Chief Information        requirements as well as Federal guidance. The\n           Officer (OCIO) to ensure appropriate consideration        processes should include, but are not limited to,\n           and integration of IT security, and (4) the joint         formal      approval     of    required      project\n           communication and decision-making of FEMA                 documentation, sufficient contractor oversight,\n           OCFO, OCIO, and NFIP management.                          definitions of project roles and responsibilities so\n                                                                     that decision making includes the appropriate\n\n\n\n                                                                       50\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                Appendix B\n\n                                                Department of Homeland Security\n \n\n                                            Federal Emergency Management Agency \n\n                                            Information Technology Management Letter \n\n                                                       September 30, 2009\n\n                                                                                                                                Repeat    Risk\nNFR #                          Condition                                         Recommendation                     New Issue\n                                                                                                                                 Issue   Rating\n                                                                  involvement of all stakeholders and relevant\n                                                                  FEMA management, establishment of Acquisition\n                                                                  Decision Events at each SELC phase, and\n                                                                  integration of IT security considerations\n                                                                  throughout all project phases.\n\n\n FEMA\xc2\xad     Based on our testwork, we concluded that NEMIS         \xef\xbf\xbd    Document and implement a comprehensive          X                     3\nIT-09-78   configuration management is not adequately                  configuration management plan for NEMIS\n           controlled, documented, or managed throughout the           which clearly defines the roles and\n           lifecycle of the FEMA configuration management              responsibilities for FEMA and contractor\n           process. Specifically, we identified the following          personnel managing the development of non-\n           weaknesses:                                                 emergency and emergency system changes, in\n                                                                       compliance      with  DHS    and    FEMA\n            \xef\xbf\xbd   NEMIS configuration management policy and\n                                                                       requirements.\n                procedures       which      outline    FEMA\xe2\x80\x99s\n                responsibilities and processes for initiating,    \xef\xbf\xbd    Ensure that NEMIS non-emergency and\n                monitoring, testing, and approving NEMIS non-          emergency system changes are tracked,\n                emergency and emergency changes that are               controlled,   properly   documented,  and\n                developed under the new development contract           managed by FEMA personnel throughout the\n                have not been documented and approved by               lifecycle of the configuration management\n                FEMA management, in accordance with DHS                process in accordance with DHS and FEMA\n                and FEMA policy.                                       guidance and policies.\n            \xef\xbf\xbd   Once the new systems development contractor\n                delivers developed changes to FEMA, FEMA\n                does not monitor and track NEMIS SCRs\n                throughout the configuration management\n                lifecycle, from initial approval through\n                implementation into the production environment.\n                Instead, FEMA only tracks and collects\n                documentation for SCRs from Project Managers\n                at the final approval stage when the request is\n\n\n\n                                                                      51\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                        Appendix B\n\n                                                 Department of Homeland Security\n \n\n                                             Federal Emergency Management Agency \n\n                                             Information Technology Management Letter \n\n                                                        September 30, 2009\n\n                                                                                                                                        Repeat    Risk\nNFR #                           Condition                                            Recommendation                         New Issue\n                                                                                                                                         Issue   Rating\n                received by the TRC.\n\n\n\n\n FEMA\xc2\xad     Based on observations conducted over the FEMA            \xef\xbf\xbd    Revise the FEMA LAN and AD account                    X                     3\nIT-09-79   LAN and the Microsoft Windows Active Directory                policies to require strong passwords, in\n           (AD) environment, we concluded that the following             accordance with DHS policy.\n           weaknesses exist:\n                                                                    \xef\xbf\xbd    Finalize and fully implement the Non-User\n           \xef\xbf\xbd   The FEMA LAN domain security policy does not              Specific, Shared, Other Group Type Accounts\n               enforce password requirements in accordance with          SOP. Specifically, FEMA should ensure that\n               DHS policy.                                               policies and procedures over the granting and\n           \xef\xbf\xbd   Policies and procedures over the authorization of         managing of access for group/shared/service\n               FEMA LAN accounts, independent of NACS                    and administrator-level user accounts not\n               approval process outlined in the Non-User                 authorized through NACS are documented and\n               Specific, Shared, Other Group Type Accounts               implemented consistently.         Additionally,\n               SOP, have not been finalized or implemented.              policies and procedures should ensure that, in\n               Additionally, we determined that initial access           accordance with DHS policy, a clear business\n               authorizations for a selection of AD accounts were        need is established and documented justifying\n               not authorized.                                           the creation and use of these types of accounts.\n           \xef\xbf\xbd   A periodic recertification of FEMA LAN access\n                                                                    \xef\xbf\xbd    Develop and implement a formal process for\n               accounts is not currently performed to ensure that\n                                                                         performing a periodic recertification of user\n               access is still necessary and appropriate for each\n                                                                         access to the FEMA LAN which defines\n               individual.\n                                                                         requirements and addresses users not\n           \xef\xbf\xbd   We compared a listing of active FEMA LAN/AD               accounted      for   during    the     planned\n               accounts against a list of FEMA employee                  recertification of NEMIS application access.\n               separations that had occurred since October 1,\n               2008. Based on our test work, we determined that     \xef\xbf\xbd    Evaluate and, if appropriate, revise existing\n               36 accounts remained active and unlocked after            procedures over removal of separated user\n               the account holder\xe2\x80\x99s separation from FEMA.                access to ensure that all separated users on the\n                                                                         FEMA LAN are removed in a timely manner.\n\n\n\n                                                                        52\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                    Appendix B\n\n                                                Department of Homeland Security\n \n\n                                            Federal Emergency Management Agency \n\n                                            Information Technology Management Letter \n\n                                                       September 30, 2009\n\n                                                                                                                                    Repeat    Risk\nNFR #                          Condition                                          Recommendation                        New Issue\n                                                                                                                                     Issue   Rating\n                                                                       Ensure that procedures and processes are\n                                                                       implemented consistently to remove network\n                                                                       accounts for all separated users immediately\n                                                                       upon notification of separation, in accordance\n                                                                       with FEMA, DHS, and NIST guidance.\n FEMA\xc2\xad     NFIP has not developed and implemented formal          \xef\xbf\xbd    Develop and implement formal procedures             X                     2\nIT-09-80   procedures that outline the process for conducting          that outline the internal scan processes and\n           internal scans for the NFIP LAN and for assessing,          requirements.     These procedures should\n           reporting, and correcting identified weaknesses. We         include, at a minimum, the process for\n           also determined that remediation of vulnerabilities         assessing,    reporting,    and     correcting\n           identified during internal scans of the NFIP LAN is         weaknesses      identified   during     scans.\n           not formally tracked and monitored through the              Additionally, ensure that the scope of\n           POA&M Process in accordance with DHS policy.                vulnerability scans conducted include all\n           While the NFIP contractor conducts internal                 workstations on the NFIP LAN.\n           vulnerability scans of the NFIP LAN on a monthly       \xef\xbf\xbd    With the involvement of both FEMA\n           basis, scanning of select workstations are presently        management and NFIP contractors, implement\n           excluded.                                                   procedures for formally tracking and\n                                                                       monitoring the remediation of vulnerabilities\n                                                                       identified during the internal scans of the\n                                                                       NFIP LAN through FEMA\xe2\x80\x99s POA&M\n                                                                       process.\n\n\n\n\n                                                                      53\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                      Appendix B\n\n                                                 Department of Homeland Security\n \n\n                                             Federal Emergency Management Agency \n\n                                             Information Technology Management Letter \n\n                                                        September 30, 2009\n\n                                                                                                                                      Repeat    Risk\nNFR #                           Condition                                           Recommendation                        New Issue\n                                                                                                                                       Issue   Rating\n FEMA\xc2\xad     FEMA does not have approved and finalized                \xef\xbf\xbd    Establish and formalize FEMA policies and           X                   2\nIT-09-81   procedures that establish formal requirements,                procedures over the requirements, processes,\n           processes, and responsibilities for performing regular        and responsibilities for performing periodic\n           vulnerability scans of Core and G&T IFMIS.                    vulnerability scans for Core and G&T IFMIS\n           FEMA also provided us with documented evidence of             instances, in accordance with DHS guidance.\n           a G&T IFMIS internal vulnerability scan that was         \xef\xbf\xbd    Ensure that vulnerability assessment scans are\n           performed on July 17, 2009. However, we noted that            performed for G&T IFMIS and that\n           the scan was scheduled and performed after our initial        weaknesses identified are formally reported\n           request for audit documentation. Additionally, FEMA           and tracked for remediation through the DHS\n           was unable to provide us with any evidence that prior         POA&M process, as required by DHS\n           scans of G&T IFMIS had been performed or                      guidance.\n           scheduled since the system was brought online in FY\n           2007.\n FEMA\xc2\xad     Upon inspection of the FEMA SOP for installing           Document, finalize, and implement comprehensive          X                     2\nIT-09-82   UNIX patches to the Core and G&T IFMIS instances,        patch management policies and procedures for\n           we noted that it does not outline the process for        Core and G&T IFMIS, in accordance with DHS\n           defining a timeline for implementing non-emergency       policy. Policies and procedures should include\n           and emergency patches or for authorizing, testing, and   requirements for responding to DHS SOC and\n           approving patches for implementation, in accordance      DHS CSIRC notifications to ensure the timely\n           with DHS guidance.                                       implementation of required patches and retention\n                                                                    of testing documentation.\n           Furthermore, FEMA IT personnel informed us that\n           documented test results of UNIX patches are not\n           retained by IT personnel after testing is completed.\n\n\n\n\n                                                                        54\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                             Appendix B\n\n                                                   Department of Homeland Security\n \n\n                                               Federal Emergency Management Agency \n\n                                               Information Technology Management Letter \n\n                                                          September 30, 2009\n\n                                                                                                                                             Repeat    Risk\nNFR #                            Condition                                              Recommendation                           New Issue\n                                                                                                                                              Issue   Rating\n FEMA\xc2\xad     We were informed by FEMA IT System Integrations             \xef\xbf\xbd    Develop and implement a formalized a                    X                   3\nIT-09-83   that NEMIS\xe2\x80\x99 program directories for the TDL                      process and procedures for restricting and\n           environment, where all User Acceptance Testing                   monitoring access over the NEMIS production\n           (UAT) occurs, and the NEMIS production                           directories to ensure that the principles of least\n           environment where the code changes are implemented,              privilege and segregation of duties are\n           are located on one server. Upon review of the                    enforced, in accordance with DHS guidance.\n           processes for restricting access to these directories, we        The process should include requirements over\n           noted the following weakness:                                    the monitoring of NEMIS system directories\n                                                                            to ensure that no changes have occurred after\n           \xef\xbf\xbd   Of the fifteen individuals with access to the\n               server, 3 accounts belonged to development                   the approval of NEMIS system changes has\n               personnel who have write, read, execute, and                 occurred.\n               modify access to all of the server\xe2\x80\x99s directories,       \xef\xbf\xbd    Limit the developers\xe2\x80\x99 access to the NEMIS\n               which allow unrestricted access to both the                  production directories to \xe2\x80\x9cread only\xe2\x80\x9d and\n               production and development environments for                  segregate the responsibility for delivering\n               NEMIS.                                                       application code changes into the NEMIS\n           \xef\xbf\xbd   FEMA does not lock down the code in its server               directory server from the contractor to an\n               directory environment, giving all accounts                   independent control group. If business need\n               unrestricted access to the NEMIS TDL and                     requires that the segregation of duties cannot\n               production environment after the code has been               be immediately implemented, document\n               approved for implementation. Additionally, while             policies and procedures to compensate for the\n               an ad-hoc review is performed over the directories           risk associated with the segregation of duties\n               to monitor the modification dates on the                     weakness noted, in accordance with DHS\n               production code directories, this process is not             guidance.\n               performed consistently or documented to mitigate\n               the risk of not locking down the directories.\n\n\n\n\n                                                                           55\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                     Appendix B\n\n                                                 Department of Homeland Security\n \n\n                                             Federal Emergency Management Agency \n\n                                             Information Technology Management Letter \n\n                                                        September 30, 2009\n\n                                                                                                                                     Repeat    Risk\nNFR #                           Condition                                           Recommendation                       New Issue\n                                                                                                                                      Issue   Rating\n FEMA\xc2\xad     Based on testwork performed, we identified the           \xef\xbf\xbd    Perform documented periodic reviews of             X                   3\nIT-09-84   following weaknesses in PARS database security                PARS database accounts and disable inactive\n           controls:                                                     accounts, in accordance with DHS policy.\n           \xef\xbf\xbd    PARS database accounts are not reviewed to          \xef\xbf\xbd    Configure PARS database accounts to adhere\n               identify accounts that have been inactive for 45          to DHS policy for passwords and authenticator\n               days or more, as required by DHS policy for high          controls, including expiration, reuse, and\n               impact systems.                                           complexity.\n           \xef\xbf\xbd    Strong passwords are not required and/or\n               enforced in accordance with DHS requirements.        \xef\xbf\xbd    Configure the PARS databases to log events\n                                                                         and conduct documented reviews of audit\n           \xef\xbf\xbd    Database audit logs are not configured to capture\n                                                                         logs, in accordance with FEMA and DHS\n               auditable events, including failed login attempts\n                                                                         policy.\n               and administrator-level actions.\n           \xef\xbf\xbd   A periodic recertification of PARS database          \xef\xbf\xbd    Further define and implement a formal process\n               access accounts is not currently performed to             that documents requirements for configuring,\n               ensure that access is still necessary and                 retaining, and reviewing audit trails for the\n               appropriate for each individual.                          PARS database in accordance with FEMA and\n                                                                         DHS policy. Additionally, ensure that all\n           FEMA could not provide evidence that initial PARS\n                                                                         DHS requirements are met through this\n           database granted to one of four users was\n                                                                         process, including appropriate supervisory\n           appropriately authorized and the individual was\n                                                                         review and retention.\n           inappropriately approved for emergency database\n           access by the FSS Chief, rather than the                 \xef\xbf\xbd    Further define and establish a formal process\n           FEMACISO/ISSO/ISSM or designee, as required by                for granting initial access and recertifying\n           DHS policy.                                                   access specifically to the PARS database that\n                                                                         includes appropriate approval from FEMA\n                                                                         management and requirements for temporary\n                                                                         and emergency access, in accordance with\n                                                                         DHS guidance.\n\n\n\n\n                                                                        56\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                        Appendix B\n\n                                                  Department of Homeland Security\n \n\n                                              Federal Emergency Management Agency \n\n                                              Information Technology Management Letter \n\n                                                         September 30, 2009\n\n                                                                                                                                        Repeat    Risk\nNFR #                            Condition                                           Recommendation                         New Issue\n                                                                                                                                         Issue   Rating\n FEMA\xc2\xad     Based on observations conducted with the NFIP IT          No recommendation is required for this weakness           X                   2\nIT-09-85   contractor, we determined that while TRRP system          that existed for the majority of FY 2009 because it\n           passwords were configured to enforce password             was remedied prior to the end of the audit when\n           complexity using alphabetic, numeric, and special         the TRRP password settings were reconfigured to\n           characters, the configurations did not limit the use of   enforce complexity requirements that exceed DHS\n           dictionary words.        Additionally, the password       requirements.\n           configuration did not prevent the password from being\n           any word, noun, or name spelled backwards or\n           appended with a single digit or with a two-digit "year"\n           string, in accordance with DHS guidance.\n\n FEMA\xc2\xad     We noted that the NFIP IT contractors use their           \xef\xbf\xbd    In accordance with policy, establish a separate      X                     2\nIT-09-86   individually assigned system administrator accounts to         account for the third-party vendor\xe2\x80\x99s use to\n           logon and create sessions to allow a third-party               implement Traverse changes, and limit use of\n           development vendor to install Traverse system                  the account so that it is activated on an as\n           changes. Additionally, we determined that NFIP does            needed basis.\n           not have a formal process for monitoring changes that\n           the vendor makes in Traverse while logged in as an        \xef\xbf\xbd    Establish and implement a formal process for\n           administrator.                                                 monitoring and verifying configuration\n                                                                          changes made by the vendor in the Traverse\n                                                                          environment, in accordance with DHS policy.\n                                                                          Additionally, ensure that these procedures\n                                                                          include requirements for documentation\n                                                                          retention.\n\n\n\n\n                                                                         57\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                     Appendix B\n\n                                                Department of Homeland Security\n \n\n                                            Federal Emergency Management Agency \n\n                                            Information Technology Management Letter \n\n                                                       September 30, 2009\n\n                                                                                                                                     Repeat    Risk\nNFR #                          Condition                                           Recommendation                        New Issue\n                                                                                                                                      Issue   Rating\n FEMA\xc2\xad     Procedures for management of FEMA IT security          \xef\xbf\xbd    Develop, approve, and implement an SOP for           X                   2\nIT-09-87   incidents have not been developed, approved, and            managing security incidents that clearly\n           implemented, in accordance with FEMA and DHS                outlines roles and responsibilities required to\n           requirements.                                               maintain a continuous incident response\n           Additionally, our unannounced FY 2009 vulnerability         capability, as required by DHS and FEMA\n           assessment scanning activity was not detected and           policy.\n           appropriately reported by FEMA IT personnel in         \xef\xbf\xbd    Provide training to all personnel with incident\n           accordance with DHS and FEMA policy.                        response roles and responsibilities.\n FEMA\xc2\xad     During our FY 2009 audit testwork, we noted that       \xef\xbf\xbd    Revise the TRRP access control policies and          X                     2\nIT-09-88   NFIP had not formally established a process for             procedures to ensure that the creation of\n           authorizing, documenting the approval and business          service accounts are appropriately authorized\n           need for service accounts, and recertifying service         and that a clear business need is established\n           accounts on the TRRP system.          As a result,          and documented justifying the creation and\n           authorization forms were not on file for all service        use of these types of account in accordance\n           accounts, and recertifications of access are only           with DHS policy.\n           conducted for user accounts.\n                                                                  \xef\xbf\xbd    Ensure that policies and procedures over\n                                                                       TRRP access authorization include a\n                                                                       formalized process for the recertification of\n                                                                       service accounts on an annual basis in\n                                                                       accordance with DHS policy.\n FEMA\xc2\xad     FEMA did not adequately conducted suitability          \xef\xbf\xbd    Further define and refine processes to ensure        X                     2\nIT-09-89   investigations for FEMA federal employees in                that background investigations for all types of\n           accordance with DHS requirements, and position              federal employees are performed in\n           designations associated with employees with elevated        accordance with DHS directives.\n           system privileges did not have appropriate position\n           sensitivity designations.                              \xef\xbf\xbd    Reevaluate and assign the correct position\n                                                                       sensitivity levels to federal employees with\n           We also determined that formal procedures were not          access to DHS information systems in\n           developed or implemented for conducting suitability         accordance with DHS policy.\n           screenings of contractors accessing DHS IT systems.\n\n\n                                                                      58\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                          Appendix B\n\n                                                   Department of Homeland Security\n \n\n                                               Federal Emergency Management Agency \n\n                                               Information Technology Management Letter \n\n                                                          September 30, 2009\n\n                                                                                                                                          Repeat    Risk\nNFR #                            Condition                                             Recommendation                         New Issue\n                                                                                                                                           Issue   Rating\n           Additionally, suitability investigations were not           \xef\xbf\xbd    Implement      procedures    within    FEMA\n           appropriately conducted for contractors with access to           Acquisitions, FEMA Personnel Security, and\n           multiple FEMA information systems holding sensitive              FEMA IT to ensure a more centralized and\n           IT security positions, and the contractors did not have          coordinated process for tracking and\n           position sensitivity designations.                               completing background investigations over\n                                                                            contracting personnel in accordance with DHS\n                                                                            policy.\n                                                                       \xef\xbf\xbd    Ensure that all systems owners formally and\n                                                                            correctly define the appropriate suitability\n                                                                            designation for contracting personnel needing\n                                                                            access to their information systems in\n                                                                            accordance with DHS policy. Additionally,\n                                                                            ensure that position sensitivity designations\n                                                                            distinguish between various levels of access\n                                                                            and require the contractor to have their\n                                                                            suitability investigation completed prior to\n                                                                            being granted access.\n FEMA\xc2\xad     We determined that FEMA has certified the FEMA              \xef\xbf\xbd    Formally designate an ISSO and DAA for the           X                     3\nIT-09-90   Switch Network (FSN)-2 switch network, which is                  MD NPSC.\n           comprised of various FEMA LANs across the regions\n           and each LAN is classified as a subsystem of the            \xef\xbf\xbd    Immediately conduct an assessment of key\n           switch network. During our review of the C&A                     controls that help ensure confidentiality and\n           package, we noted that the Maryland (MD) National                availability of data for security weaknesses,\n           Processing Service Center (NPSC) is considered to be             and determine the operational risk related to\n           a subsystem to the overarching General Support                   MD NPSC LAN supporting FEMA financial\n           System (GSS) FSN-2 and that the primary servers for              applications. Weaknesses identified should be\n           NEMIS, Core IFMIS, and G&T IFMIS financial                       documented with plans for accelerated\n           applications reside on this portion of the LAN.                  remediation efforts, or related risks should be\n           However, the document states that no current                     formally accepted by FEMA.\n           accreditation or certification letters could be found for   \xef\xbf\xbd    Review and revise the FSN-2 C&A package\n\n\n\n                                                                           59\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                        Appendix B\n\n                                                  Department of Homeland Security\n \n\n                                              Federal Emergency Management Agency \n\n                                              Information Technology Management Letter \n\n                                                         September 30, 2009\n\n                                                                                                                                        Repeat    Risk\nNFR #                            Condition                                           Recommendation                         New Issue\n                                                                                                                                         Issue   Rating\n           that subsystem during the certification and                    to reflect the current GSS environment in\n           accreditation of the FSN-2 package. Specifically,              accordance with DHS and Federal guidance.\n           there is no evidence in the package that the required          Additionally, ensure that the C&A Package\n           C&A elements have been completed/updated,                      has been completed to include the required\n           documented, or approved for MD NPSC in accordance              artifacts, addresses the security controls for\n           with DHS guidance.                                             the various subsystems, and assigns and\n                                                                          updates the appropriate security roles for each\n           We further noted that the C&A package states that\n                                                                          subsystem.\n           C&A activities are to be completed for the MD NPSC\n           subsystem at a separate time and that no security roles\n           were defined for the MD NPSC within the C&A. We\n           inquired with FEMA Information Technology (IT)\n           Security and management to determine the status for\n           the MD NPSC C&A package and were not provided\n           with any additional information as to the status of the\n           C&A package.\n           Additionally, upon further review of the C&A\n           package, we noted that both the MD NPSC and the\n           regional LANs are within scope of this review as\n           NEMIS has servers at multiple regional sites.\n           Furthermore, we determined that management had\n           not adequately completed the C&A package over\n           FSN-2 according to DHS policy.\n FEMA\xc2\xad     FEMA does not have a formal process for adequately        Document and implement procedures, according to           X                     2\nIT-09-91   tracking FEMA contractors throughout the on-              DHS guidelines and requirements, that track the\n           boarding, termination, and transfer processes.            on-boarding, transfer, and separation of\n           Furthermore, we noted that the process established for    contractors.    Ensure that the policies and\n           notifying the FEMA OCIO of changes in contractor\'s        procedures include:\n           status, so that accounts can be disabled/removed or\n                                                                     \xe2\x80\xa2    The assignment of roles and responsibilities to\n           account profiles can be appropriately modified in the\n                                                                          appropriate   FEMA       management        and\n           required timeframe, is not effective or comprehensive.\n                                                                          stakeholders.\n\n\n                                                                         60\n           Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                                                                                  Appendix B\n\n                                            Department of Homeland Security\n \n\n                                        Federal Emergency Management Agency \n\n                                        Information Technology Management Letter \n\n                                                   September 30, 2009\n\n                                                                                                                                  Repeat    Risk\nNFR #                       Condition                                          Recommendation                         New Issue\n                                                                                                                                   Issue   Rating\n        Specifically, there are no formal requirements for\n                                                              \xe2\x80\xa2    Steps for notifying the FEMA OCIO that a\n        COTRs to notify the OCIO of separating contractors.\n                                                                   contractor is separating or transferring so that\n                                                                   the contractor will have their systems access\n                                                                   removed or modified in a timely manner, in\n                                                                   accordance with DHS policies.\n                                                              \xe2\x80\xa2    Regularly distribute a listing of terminated\n                                                                   contract personnel to information system\n                                                                   administrators so they can remove user access\n                                                                   timely.\n\n\n\n\n                                                                  61\n        Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated Audit\n\x0c                                                                               Appendix C\n\n                            Department of Homeland Security\n \n\n                        Federal Emergency Management Agency \n\n                        Information Technology Management Letter \n\n                                   September 30, 2009\n\n\n\n\n                                     Appendix C \n\n\nStatus of Prior Year Notices of Findings and Recommendations (NFR) \n\n                         and Comparison to\n \n\n                      Current Year NFRs at the \n\n               Federal Emergency Management Agency \n\n\n\n\n\n                                           62\nInformation Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated \n\n                                           Audit\n \n\n\x0c                                                                                                        Appendix C\n\n                                     Department of Homeland Security\n                                 Federal Emergency Management Agency\n                                 Information Technology Management Letter\n                                            September 30, 2009\n\n\n                                                                                                 Disposition\nNFR #            Description                                                            Closed            Repeat\n\n FEMA-IT-08-02    During our vulnerability assessment technical testing, certain                      FEMA-IT-09-02\n                  configuration management weaknesses were identified on\n                  Integrated Financial Management Information System (IFMIS)\n                  and National Emergency Management Information System\n                  (NEMIS) database instances and on key support servers.\n                  Specifically, servers were identified with password and auditing\n                  configuration weaknesses\n FEMA-IT-08-03    IFMIS accounts did not complete a new Federal Emergency                             FEMA-IT-09-03\n                  Management Agency (FEMA) Form 20-24 in response to the\n                  recertification process.\n FEMA-IT-08-06    We noted that FEMA has made a management decision not to                            FEMA-IT-09-06\n                  develop policies and procedures over the modification of IFMIS\n                  account functions until the new IFMIS system upgrade occurs.\n                  We noted that FEMA has reported in the Plan of Action and\n                  Milestones (POA&M) that they expect to address corrective\n                  action for this weakness in FY 2010. As a result, a formalized\n                  process does not exist to guide Financial Services Section (FSS)\n                  staff in the modification of the system to ensure that appropriate\n                  privileges are created, documented, and approved for a specific\n                  function.\n FEMA-IT-08-12    FEMA informed us that the automated manager certification                           FEMA-IT-09-12\n                  process has not yet begun.       Therefore, the FY 2008\n                  recertification has not been completed and the risk of\n                  unauthorized users accessing NEMIS was present for a majority\n                  of the fiscal year.\n FEMA-IT-08-13    We were informed that terminated IFMIS users are to have the                        FEMA-IT-09-13\n                  \xe2\x80\x9cDELETEUSER\xe2\x80\x9d role applied to their account profile prior to\n                  being removed from the application, which overrides all existing\n                  roles and deactivates any existing privileges within the\n                  application although the individual can still log into the account.\n                  However, FEMA Instruction 2200.7 specifies that personnel\n                  separating from FEMA shall have all IFMIS access privileges\n                  cancelled and their user account removed. Consequently,\n                  although the risk is mitigated by the limited access rights on the\n                  accounts with the \xe2\x80\x9cDELETEUSER\xe2\x80\x9d privilege, those six\n                  accounts demonstrate that the policies and procedures\n                  surrounding the IFMIS terminated user process are not\n                  consistently applied and the accounts have not been removed.\n                  Additionally, 4 out of the 10 accounts remained on the IFMIS\n                  system with an active status.\n\n\n\n\n                                                           63\n  Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated \n\n                                             Audit\n \n\n\x0c                                                                                                     Appendix C\n\n                                    Department of Homeland Security\n                                Federal Emergency Management Agency\n                                Information Technology Management Letter\n                                           September 30, 2009\n\n                                                                                              Disposition\nNFR #            Description                                                         Closed            Repeat\n\n FEMA-IT-08-17    There is no documented evidence to support that monitoring of                    FEMA-IT-09-17\n                  the \xe2\x80\x9cifmiscm\xe2\x80\x9d directory and sub-directories is occurring.\n FEMA-IT-08-19    While FEMA informed us that system software activity is                          FEMA-IT-09-19\n                  logged, we were unable to obtain evidence that the audit logs\n                  were reviewed on a periodic basis.\n FEMA-IT-08-22    Per inspection of the POA&M, we noted that corrective action                     FEMA-IT-09-22\n                  was initiated by FEMA to implement an alternate processing\n                  facility for NEMIS, but that the alternate site has not been\n                  established.\n                  Due to the magnitude of the project scope, implementation of an\n                  alternate processing site will not be achieved within 12 months.\n                  Consistent with DHS policy for corrective actions that cannot be\n                  implemented within 12 months, a Department of Homeland\n                  Security (DHS) Information Technology (IT) Security Program\n                  Waiver (number WR-2008-012) was approved by the DHS\n                  Chief Information Security Officer (CISO) in March 2008 to\n                  provide FEMA with additional time to plan and develop an\n                  effective alternate processing site for NEMIS. Per DHS policy,\n                  the waiver must be reviewed, updated, and re-approved by the\n                  appropriate management officials every six months.\n                  As required by DHS policy, the approved waiver describes the\n                  mitigating efforts, management\xe2\x80\x99s acceptance of the associated\n                  residual risk, and a plan for attaining compliance with DHS\n                  policy. The waiver also documents the compensating controls\n                  to mitigate risk until the alternate processing site is\n                  implemented. The compensating controls are to be derived by\n                  conducting annual table-top exercises and ensuring that regular\n                  backups of critical NEMIS data and offsite backup storage are\n                  performed. However, a fully successful table-top test of NEMIS\n                  has not been conducted for FY 2008. The waiver granted\n                  provides an extension of time to implement corrective action,\n                  but the associated risk still remains.\n FEMA-IT-08-23    IFMIS system administrators conducted ad hoc backup tape             X\n                  restores for system users and performed a full database restore\n                  in March 2008 during a server upgrade. However, there was no\n                  evidence that quarterly testing was conducted or that FEMA has\n                  a formalized process to test backup tapes more frequently than\n                  annually.\n\n\n\n\n                                                         64\n  Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated \n\n                                             Audit\n \n\n\x0c                                                                                                      Appendix C\n\n                                    Department of Homeland Security\n                                Federal Emergency Management Agency\n                                Information Technology Management Letter\n                                           September 30, 2009\n\n                                                                                               Disposition\nNFR #            Description                                                          Closed            Repeat\n\n FEMA IT-08-24    We noted that the tape restore schedule requires quarterly                        FEMA-IT-09-24\n                  testing of backup tapes beginning no earlier than FY 2009.\n\n                  Additionally, we determined that the NEMIS contingency plan\n                  was not tested and consequently a full NEMIS backup tape\n                  restore did not occur in FY 2008. Rather, NEMIS system\n                  administrators conducted ad hoc backup tape restores at the\n                  request of system users during the fiscal year.\n FEMA-IT-08-25    Due to the magnitude of the project scope to establish a \xe2\x80\x9creal\xc2\xad                   FEMA-IT-09-25\n                  time\xe2\x80\x9d alternate processing site for NEMIS, FEMA was unable to\n                  implement corrective actions to fully remediate the prior year\n                  finding within 12 months. Consistent with DHS policy for\n                  findings that cannot be remediated within 12 months, a DHS IT\n                  Security Program Waiver (number WR-2008-012) was\n                  approved by the DHS CISO in March 2008 to provide FEMA\n                  with additional time to plan and develop an effective alternate\n                  processing site for NEMIS. Per DHS policy, the waiver must be\n                  reviewed, updated, and re-approved by the appropriate\n                  management officials every six months. The waiver identifies\n                  that until the alternate processing site is implemented and full\n                  scale testing can be conducted, compensating controls will be\n                  implemented by conducting annual table-top exercises.\n                  Additionally, at the close of our audit test work, we determined\n                  that annual table-top testing had not been conducted and\n                  documented. We determined that the most recently conducted\n                  table-top review of NEMIS contingency plan occurred on July\n                  21, 2007 and was conducted for processes, procedures, and\n                  scenarios identified in the contingency plan dated June 29, 2007.\n                  We noted that the documented results of the July 2007 test\n                  stated that FEMA was unable to successfully complete steps that\n                  were planned to be conducted during the Recovery Procedure\n                  Activation phase due to material weaknesses and deficiencies\n                  cited in the recovery procedures.\n\n\n\n\n                                                         65\n  Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated \n\n                                             Audit\n \n\n\x0c                                                                                                     Appendix C\n\n                                    Department of Homeland Security\n                                Federal Emergency Management Agency\n                                Information Technology Management Letter\n                                           September 30, 2009\n\n                                                                                              Disposition\nNFR #            Description                                                         Closed            Repeat\n\n FEMA-IT-08-28    During our FY 2008 follow up test work, we tested a selection                    FEMA-IT-09-28\n                  of 40 NEMIS non-emergency application level Software\n                  Change Requests (SCR) that had occurred since October 1,\n                  2007. Of the 40 SCRs tested, we noted the following\n                  exceptions:\n\n                      \xef\xbf\xbd   29 SCRs did not have testing documentation attached\n                          to the SCR;\n                      \xef\xbf\xbd   36 SCRs did not obtain Test and Development\n                          Laboratory (TDL) approval; and\n                      \xef\xbf\xbd   32 SCRs did not obtain Technical Review Committee\n                          (TRC) approval.\n FEMA-IT-08-29    We noted that TRC approvals for NEMIS application level                          FEMA-IT-09-29\n                  emergency changes did not consistently follow FEMA and DHS\n                  guidance. Specifically, we determined that of 25 emergency\n                  NEMIS changes selected for testing:\n\n                      \xef\xbf\xbd   22 changes did not have documented TRC approval;\n                      \xef\xbf\xbd   4 did not gain SCR approval prior to implementation\n                          into production;\n                      \xef\xbf\xbd   16 did not gain TDL approval; and\n                      \xef\xbf\xbd   6 did not have related testing documentation attached.\n FEMA-IT-08-38    We were referred to Section 2.2.1 of the National Flood                          FEMA-IT-09-38\n                  Insurance Program (NFIP) Local Area Network (LAN)\n                  Administrative Manual as guidance on segregating incompatible\n                  duties. Based on our review of the manual, we noted that it does\n                  not include policies and procedures regarding segregating\n                  incompatible duties within Traverse. Additionally, while we\n                  noted that system roles and responsibilities have been\n                  documented, Traverse duties are incompatible are not\n                  documented.\n FEMA-IT-08-39    During our test work, we noted that a planned update and                         FEMA-IT-09-39\n                  subsequent testing of the Traverse Contingency Plan was not\n                  conducted and that system fail over capability at the alternate\n                  processing site had not been tested. Additionally, the NFIP\n                  Disaster Recovery and Continuity of Operations Plan was not\n                  updated to include the Transaction Recording and Reporting\n                  Processing (TRRP) and Traverse alternate processing facility or\n                  TRRP critical data files and restoration priorities.\n\n FEMA-IT-08-45    IFMIS user access is not managed in accordance with account                      FEMA-IT-09-45\n                  management procedures.\n\n\n\n                                                         66\n  Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated \n\n                                             Audit\n \n\n\x0c                                                                                                     Appendix C\n\n                                    Department of Homeland Security\n                                Federal Emergency Management Agency\n                                Information Technology Management Letter\n                                           September 30, 2009\n\n                                                                                              Disposition\nNFR #            Description                                                         Closed            Repeat\n\n FEMA-IT-08-46    The existing Memorandum of Understanding with the                                FEMA-IT-09-46\n                  Department of Treasury expired in October 2007.\n FEMA-IT-08-47    Based upon our review, we determined that the                        X\n                  Interconnection Sharing Agreement between FEMA and the\n                  Small Business Administration expired in July 2007 and has\n                  not been reauthorized and reissued, as required by DHS\n                  policy.\n FEMA-IT-08-48    The vulnerabilities identified from the NEMIS scans are not                      FEMA-IT-09-48\n                  reported and tracked via DHS\xe2\x80\x99 POA&M process.\n FEMA-IT-08-49    We noted that the software was improperly configured so that         X\n                  the user\xe2\x80\x99s ability to change the following settings had not been\n                  disabled:\n\n                      \xef\xbf\xbd   File System Auto-Protect for automatically scanning\n                          system files for threats, known viruses, and worms on a\n                          continuous basis when Windows is started;\n                      \xef\xbf\xbd   Microsoft Exchange Auto-Protect for automatically\n                          scanning Outlook and/or Outlook Express messages for\n                          viruses.\n                      \xef\xbf\xbd   Lotus Notes Auto-Protect for automatically scanning\n                          incoming and outgoing Lotus Notes messages; and\n                      \xef\xbf\xbd   Internet Email Auto-Protect for scanning all incoming\n                          and outgoing e-mail messages other than Outlook\n                          and/or Outlook Express.\n FEMA-IT-08-50    We performed test work over audit logging on the IFMIS                           FEMA-IT-09-50\n                  application and Oracle database. Based upon inquiry and\n                  inspection of documentation, we determined that on a daily\n                  basis, an automated report is generated and emailed to the\n                  database administrators and FSS personnel for review.\n                  However, while this report is distributed for review by the\n                  database administrators and FSS staff, no evidence that the\n                  reviews are conducted is retained.\n                  Additionally, we noted that while FEMA Instruction 2200.7,\n                  IFMIS User Access Instruction, assigns the responsibility of\n                  conducting this weekly review to FSS, FEMA personnel do\n                  not formally document that the review is conducted.\n FEMA-IT-08-51    We noted that the Standard Operating Procedure (SOP) does                        FEMA-IT-09-51\n                  not comprehensively address requirements of FEMA\n                  Directive 140-1, FEMA IT Security Policy. Specifically, the\n                  SOP does not require the monitoring of modifications to\n                  account tables and other highly-privileged and administrator\xc2\xad\n\n\n\n                                                         67\n  Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated \n\n                                             Audit\n \n\n\x0c                                                                                                       Appendix C\n\n                                      Department of Homeland Security\n                                  Federal Emergency Management Agency\n                                  Information Technology Management Letter\n                                             September 30, 2009\n\n                                                                                                Disposition\nNFR #            Description                                                           Closed            Repeat\n\n                  level activities.\n                  Additionally, we noted that the SOP requires database\n                  administrators to initial and retain printed logs as evidence\n                  that reviews are conducted as required. However, FEMA\n                  informed us that this portion of the SOP was not being\n                  performed.\n FEMA-IT-08-52    Finalization and implementation of the Security Operations                         FEMA-IT-09-52\n                  Center SOP - FEMA Information Security Vulnerability\n                  Management, which specifies the timeframe for installing\n                  security patches, has been delayed due to organizational\n                  changes.\n FEMA-IT-08-53    Upon inspection of the NEMIS System Security Plan (SSP) that                       FEMA-IT-09-53\n                  is a part of the certification and accreditation (C&A) package;\n                  we noted that the server and host names listed in Appendix B of\n                  the SSP are not accurate. Specifically, the listing of system\n                  components is not comprehensive and portions of information,\n                  such as system owners, are not up to date.\n FEMA-IT-08-54    In FY 2008, we determined that NFIP had documented and                             FEMA-IT-09-54\n                  implemented the Traverse System Change Control Procedures.\n                  During the audit, we determined that two Traverse changes had\n                  been implemented since October 1, 2007. We obtained change\n                  documentation for both changes and noted that testing\n                  documentation was not retained for these changes.\n\n FEMA-IT-08-55    During our FY 2008 test work, we noted that NFIP documented            X\n                  and implemented the NFIP Technical Services Department\n                  Production Systems Control Unit Procedures that provide\n                  guidance on implementing changes into the production\n                  environment. We selected for testing eight TRRP changes that\n                  had been implemented since October 1, 2007. Of the eight\n                  tested, we identified that test results were not available for one\n                  change.\n\n\n\n\n                                                          68\n  Information Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated \n\n                                             Audit\n \n\n\x0c                                                                                                                 Appendix D\n                                    Department of Homeland Security \n\n                                Federal Emergency Management Agency \n\n                                Information Technology Management Letter \n\n                                           September 30, 2009\n\n                                                                                      U.S. Department of Homeland Security\n                                                                                      Washington, D.C. 20472\n\n\n\n\n                                       APR 2 1 201                                    FEMA\n\n    MEMORANDUM FOR: Frank Deffer\n                    Assistant Inspector General\n                    Infonnation Technology Audits\n\n    THROUGH:                     Brad Shefka\n                                 Chief, FEMA GAO/OIG Liaison\n\n                                                           c.&7L    fl, ~./\n    FROM:                        JeanA. Etzel\n                                 Chief Informatio 0 lcerlDirector\n                                 Office of the C ef Information Officer\n                                                                           c..e   r\n    SUBJECT:                     Response to Draft Audit Report - Information Technology Management\n                                 Letter for the FEMA FY 2009 Financial Statement Audit, dated March\n                                 2010\n\n\n    The Federal Emergency Management Agency (FEMA) appreciates the Department of Homeland Security\n    (DHS) Office of the Inspector General providing KPMG\'s evaluation ofFEMA\'s information technology\n    (iT) general controls and their recommendations for improving FEMA\'s financiaL processing environment\n    and related iT infrastructure. The evaluation has been very helpful in identifying areas requiring\n    improvement and prioritizing work to implement their recommendations.\n\n    FEMA concurs with each ofthe auditor\'s recommendations in the report referenced above. The Chief\n    Information Officer (CIO) is resolute in directing these audit recommendations be effectively implemented in\n    a timely manner. The Governance and Investment lntegration Branch (GlIB), the CIO created the calB to\n    manage audit activities, will hold weekly meetings with Action Officers to review the status of implementing\n    these recommendations and address issues that are impeding progress. Branch Chiefs will receive weekly\n    reports reflecting the current status of their organization\'s assigned actions and will work diligently to correct\n    findings and implement recommendations.\n\n    FEMA develops and maintains a detailed Plan of Action and Milestones (POA&M) for each audit\n    recommendation in the DHS Trusted Agent FISMA (TAF) system. We believe these POA&Ms provide the\n    specific responses to each audit recommendation that you requested. If you have any questions regarding the\n    status of the pLanned actions, we are available to meet with your office. FEMA\'s senior leadership is\n    committed to completing the remaining actions included in each of the POA&Ms at the earliest possible time.\n\n    If you have any questions, please have your staff contact Landon V. Cochran, Chief, Governance and\n    lnvestment Integration Branch, at 202-646-8272.\n\n\n\n\n                                                           69\nInformation Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated \n\n                                           Audit\n \n\n\x0c                                                                                Appendix E\n                            Department of Homeland Security\n \n\n                        Federal Emergency Management Agency \n\n                        Information Technology Management Letter\n                                   September 30, 2009\n\n                   Report Distribution\n\n                   Department of Homeland Security\n\n                   Secretary\n                   Deputy Secretary\n                   General Counsel\n                   Chief of Staff\n                   Deputy Chief of Staff\n                   Executive Secretariat\n                   Under Secretary, Management\n                   Administrator, FEMA\n                   DHS Chief Information Officer\n                   DHS Chief Financial Officer\n                   Chief Financial Officer, FEMA\n                   Chief Information Officer, FEMA\n                   Chief Information Security Officer\n                   Assistant Secretary, Policy\n                   Assistant Secretary for Public Affairs\n                   Assistant Secretary for Legislative Affairs\n                   DHS GAO OIG Audit Liaison\n                   Chief Information Officer, Audit Liaison\n                   FEMA Audit Liaison\n\n                   Office of Management and Budget\n\n                   Chief, Homeland Security Branch\n                   DHS OIG Budget Examiner\n\n                   Congress\n\n                   Congressional Oversight and Appropriations Committees as Appropriate\n\n\n\n\n                                              70\nInformation Technology Management Letter for FEMA Component of the FY 2009 DHS Integrated \n\n                                           Audit\n \n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'